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Abstract 


The  logic  of  equality  with  uninterpreted  functions  (EUF)  provides  a  means  of  abstracting  the  ma¬ 
nipulation  of  data  by  a  processor  when  verifying  the  correctness  of  its  control  logic.  By  reducing 
formulas  in  this  logic  to  propositional  formulas,  we  can  apply  Boolean  methods  such  as  Ordered 
Binary  Decision  Diagrams  (BDDs)  and  Boolean  satisfiability  checkers  to  perform  the  verification. 
We  can  exploit  characteristics  of  the  formulas  describing  the  verification  conditions  to  greatly 
simplify  the  propositional  formulas  generated.  We  identify  a  class  of  terms  we  call  “p-terms”  for 
which  equality  comparisons  can  only  be  used  in  monotonically  positive  formulas.  By  applying 
suitable  abstractions  to  the  hardware  model,  we  can  express  the  functionality  of  data  values  and 
instruction  addresses  flowing  through  an  instruction  pipeline  with  p-terms.  A  decision  procedure 
can  exploit  the  restricted  uses  of  p-terms  by  considering  only  “maximally  diverse”  interpretations 
of  the  associated  function  symbols,  where  every  function  application  yields  a  different  value  except 
when  constrained  by  functional  consistency. 

We  present  two  methods  to  translate  formulas  in  EUF  into  propositional  logic.  The  first  interprets 
the  formula  over  a  domain  of  fixed-length  bit  vectors  and  uses  vectors  of  propositional  variables 
to  encode  domain  variables.  The  second  generates  formulas  encoding  the  conditions  under  which 
pairs  of  terms  have  equal  valuations,  introducing  propositional  variables  to  encode  the  equality 
relations  between  pairs  of  terms.  Both  of  these  approaches  can  exploit  maximal  diversity  to  greatly 
reduce  the  number  of  propositional  variables  that  need  to  be  introduced  and  to  reduce  the  overall 
formula  sizes. 

We  present  experimental  results  demonstrating  the  efficiency  of  this  approach  when  verifying 
pipelined  processors  using  the  method  proposed  by  Burch  and  Dill.  Exploiting  positive  equal¬ 
ity  allows  us  to  overcome  the  exponential  blow-up  experienced  previously  [VB98]  when  verifying 
microprocessors  with  load,  store,  and  branch  instructions. 


1  Introduction 


For  automatically  reasoning  about  pipelined  processors,  Burch  and  Dill  demonstrated  the  value 
of  using  propositional  logic,  extended  with  uninterpreted  functions,  uninterpreted  predicates,  and 
the  testing  of  equality  [BD94].  Their  approach  involves  abstracting  the  data  path  as  a  collection 
of  registers  and  memories  storing  data,  units  such  as  ALUs  operating  on  the  data,  and  various 
connections  and  multiplexors  providing  methods  for  data  to  be  transferred  and  selected.  The  initial 
state  of  each  register  is  represented  by  a  domain  variable  indicating  an  arbitrary  data  value.  The 
operation  of  units  that  transform  data  is  abstracted  as  blocks  computing  functions  with  no  specified 
properties  other  than  functional  consistency,  i.e.,  that  applications  of  a  function  to  equal  arguments 
yield  equal  results:  x  =  y  =$-  f(x)  =  f(y).  The  state  of  a  register  at  any  point  in  the  computation 
can  be  represented  by  a  symbolic  term,  an  expression  consisting  of  a  combination  of  domain 
variables,  function  and  predicate  applications,  and  Boolean  operations.  Verifying  that  a  pipelined 
processor  has  behavior  matching  that  of  an  unpipelined  instruction  set  reference  model  can  be 
performed  by  constructing  a  formula  in  this  logic  that  compares  for  equality  the  terms  describing 
the  results  produced  by  the  two  models  and  then  proving  the  validity  of  this  formula. 

In  their  1994  paper,  Burch  and  Dill  also  described  the  implementation  of  a  decision  procedure 
for  this  logic  based  on  theorem  proving  search  methods.  Their  procedure  builds  on  ones  originally 
described  by  Shostak  [Sho79]  and  by  Nelson  and  Oppen  [NO80],  using  combinatorial  search 
coupled  with  algorithms  for  maintaining  a  partitioning  of  the  terms  into  equivalence  classes  based 
on  the  equalities  that  hold  at  a  given  step  of  the  search.  More  details  of  their  decision  procedure 
are  given  in  [BDL96]. 

Burch  and  Dill’s  work  has  generated  considerable  interest  in  the  use  of  uninterpreted  functions 
to  abstract  data  operations  in  processor  verification.  A  common  theme  has  been  to  adopt  Boolean 
methods,  either  to  allow  integration  of  uninterpreted  functions  into  symbolic  model  checkers 
[DPR98,  BBCZ98],  or  to  allow  the  use  of  Binary  Decision  Diagrams  (BDDs)  [Bry86]  in  the 
decision  procedure  [HKGB97,  GSZAS98,  VB98].  Boolean  methods  allow  a  more  direct  mod¬ 
eling  of  the  control  logic  of  hardware  designs  and  thus  can  be  applied  to  actual  processor  designs 
rather  than  highly  abstracted  models.  In  addition  to  BDD-based  decision  procedures,  Boolean 
methods  could  use  some  of  the  recently  developed  satisfiability  procedures  for  propositional  logic. 
In  principle,  Boolean  methods  could  outperform  decision  procedures  based  on  theorem  proving 
search  methods,  especially  when  verifying  processors  with  more  complex  control  logic,  e.g.,  due 
to  superscalar  or  out-of-order  operation. 

Boolean  methods  can  be  used  to  decide  the  validity  of  a  formula  containing  terms  and  unin¬ 
terpreted  functions  by  interpreting  the  formula  over  a  domain  of  fixed-length  bit  vectors.  Such  an 
approach  exploits  the  property  that  a  given  formula  contains  a  limited  number  of  function  appli¬ 
cations  and  therefore  can  be  proved  to  be  universally  valid  by  considering  its  interpretation  over 
a  sufficiently  large,  but  finite  domain  [Ack54].  If  a  formula  contains  a  total  of  m  function  appli¬ 
cations,  then  the  set  of  all  bit  vectors  of  length  k  forms  an  adequate  domain  for  k  >  log2  m.  The 
formula  to  be  verified  can  be  translated  into  one  in  propositional  logic,  using  vectors  of  proposi- 
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tional  variables  to  encode  the  possible  values  generated  by  function  applications  [HKGB97].  Our 
implementation  of  such  an  approach  [VB98]  as  part  of  a  BDD-based  symbolic  simulation  system 
was  successful  at  verifying  simple  pipelined  data  paths.  We  found,  however,  that  the  computa¬ 
tional  resources  grew  exponentially  as  we  increased  the  pipeline  depth.  Modeling  the  interactions 
between  successive  instructions  flowing  through  the  pipeline,  as  well  as  the  functional  consis¬ 
tency  of  the  ALU  results,  precludes  having  an  ordering  of  the  variables  encoding  term  values  that 
yields  compact  BDDs.  Similarly,  we  found  that  extending  the  data  path  to  a  complete  proces¬ 
sor  by  adding  either  load  and  store  instructions  or  instruction  fetch  logic  supporting  jumps  and 
conditional  branches  led  to  impossible  BDD  variable  ordering  requirements. 

Goel  et  al.  [GSZAS98]  present  an  alternate  approach  to  using  BDDs  to  decide  the  validity  of 
formulas  in  the  logic  of  equality  with  uninterpreted  functions.  In  their  formulation  they  introduce 
a  propositional  variable  ehJ  for  each  pair  of  function  application  terms  Tt  and  Tj,  expressing  the 
conditions  under  which  the  two  terms  are  equal.  They  add  constraints  expressing  both  functional 
consistency  and  the  transitivity  of  equality  among  the  terms.  Their  experimental  results  were 
also  somewhat  disappointing.  For  all  previous  methods  of  reducing  EUF  to  propositional  logic, 
Boolean  methods  have  not  lived  up  to  their  promise  of  outperforming  ones  based  on  theorem 
proving  search. 

In  this  paper,  we  show  that  the  characteristics  of  the  formulas  generated  when  modeling  pro¬ 
cessor  pipelines  can  be  exploited  to  greatly  reduce  the  number  of  propositional  variables  that  are 
introduced  when  translating  the  formula  into  propositional  logic.  We  distinguish  a  class  of  terms 
we  call  p-terms  for  which  equality  comparisons  can  only  be  used  in  monotonically  positive  for¬ 
mulas.  Such  formulas  are  suitable  for  describing  the  top-level  correctness  condition,  but  not  for 
modeling  any  control  decisions  in  the  hardware.  By  applying  suitable  abstractions  to  the  hardware 
model,  we  can  express  the  functionality  of  data  values  and  instruction  addresses  with  p-terms. 

A  decision  procedure  can  exploit  the  restricted  uses  of  p-terms  by  considering  only  “maximally 
diverse”  interpretations  of  the  associated  “p-function”  symbols,  where  every  function  application 
yields  a  different  value  except  when  constrained  by  functional  consistency.  We  present  a  method 
of  transforming  a  formula  containing  function  applications  into  one  containing  only  domain  vari¬ 
ables  that  differs  from  the  commonly-used  method  described  by  Ackermann  [Ack54].  Our  method 
allows  a  translation  into  propositional  logic  that  uses  vectors  with  fixed  bit  patterns  rather  than 
propositional  variables  to  encode  domain  variables  introduced  while  eliminating  p-function  ap¬ 
plications.  This  reduction  in  propositional  variables  greatly  simplifies  the  BDDs  generated  when 
checking  tautology,  often  avoiding  the  exponential  blow-up  experienced  by  other  procedures.  Al¬ 
ternatively,  we  can  use  a  encoding  scheme  similar  to  Goel  et  al.  [GSZAS98],  but  with  many  of  the 
e,j  values  set  to  false  rather  than  to  Boolean  variables. 

Others  have  recognized  the  value  of  restricting  the  testing  of  equality  when  modeling  the  flow 
of  data  in  pipelines.  Berezin  et  al.  [BBCZ98]  generate  a  model  of  an  execution  unit  suitable 
for  symbolic  model  checking  in  which  the  data  values  and  operations  are  kept  abstract.  In  our 
terminology,  their  functional  terms  are  all  p-terms.  They  use  fixed  bit  patterns  to  represent  the 
initial  states  of  registers,  much  as  we  replace  p-term  domain  variables  by  fixed  bit  patterns.  To 
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model  the  outcome  of  each  program  operation,  they  generate  an  entry  in  a  “reference  file”  and 
refer  to  the  result  by  a  pointer  to  this  file.  These  pointers  are  similar  to  the  bit  patterns  we  generate 
to  denote  the  p-function  application  outcomes.  This  paper  provides  an  alternate,  and  somewhat 
more  general  view  of  the  efficiency  gains  allowed  by  p-terms. 

Damm  et  al.  consider  an  even  more  restricted  logic  such  that  in  the  terms  describing  the  com¬ 
puted  result,  no  function  symbol  is  applied  to  a  term  that  already  contains  the  same  symbol.  As  a 
consequence,  they  can  guarantee  that  an  equality  between  two  terms  holds  universally  if  it  holds 
holds  over  the  domain  {0, 1}  and  with  function  symbols  having  four  possible  interpretations:  con¬ 
stant  functions  0  or  1,  and  projection  functions  selecting  the  first  or  second  argument.  They  can 
therefore  argue  that  verifying  an  execution  unit  in  which  the  data  path  width  is  reduced  to  a  single 
bit  and  in  which  the  functional  units  implement  only  four  functions  suffices  to  prove  its  correct¬ 
ness  for  all  possible  widths  and  functionalities.  Their  work  imposes  far  greater  restrictions  than 
we  place  on  p-terms,  but  it  allows  them  to  bound  the  domain  that  must  be  considered  to  determine 
universal  validity  independently  from  the  formula  size. 

In  comparison  to  both  of  these  other  efforts,  we  maintain  the  full  generality  of  the  unrestricted 
terms  of  Burch  and  Dill  while  exploiting  the  efficiency  gains  possible  with  p-terms.  In  our  proces¬ 
sor  model,  we  can  abstract  register  identifiers  as  unrestricted  terms,  while  modeling  program  data 
and  instruction  data  as  p-terms.  As  a  result,  our  verifications  cover  designs  with  arbitrarily  many 
registers.  In  contrast,  both  [BBCZ98]  and  [DPR98]  used  bit  encodings  of  register  identifiers  and 
were  unable  to  scale  their  verifications  to  a  realistic  number  of  registers. 

In  a  recent  paper,  Pnueli,  et  al.  [PRSS99]  also  propose  a  method  to  exploit  the  polarity  of  the 
equations  in  a  formula  containing  uninterpreted  functions  with  equality.  They  describe  an  algo¬ 
rithm  to  generate  a  small  domain  for  each  domain  variable  such  that  the  universal  validity  of  the 
formula  can  be  determined  by  considering  only  interpretations  in  which  the  variables  range  over 
their  restricted  domains.  A  key  difference  of  their  work  is  that  they  examine  the  equation  structure 
after  replacing  all  function  application  terms  with  domain  variables  and  introducing  functional 
consistency  constraints  as  described  by  Ackermann  [Ack54].  These  consistency  constraints  typi¬ 
cally  contain  large  numbers  of  equations — far  more  than  occur  in  the  original  formula — that  mask 
the  original  p-term  structure.  As  an  example,  comparing  the  top  and  bottom  parts  of  Figure  6  illus¬ 
trates  the  large  number  of  equations  that  may  be  generated  when  applying  Ackermann’s  method. 
By  contrast,  our  method  is  based  on  the  original  formula  structure.  In  addition,  we  use  a  new 
method  of  replacing  function  application  terms  with  domain  variables.  Our  scheme  allows  us 
to  exploit  maximal  diversity  by  assigning  fixed  values  to  the  domain  variables  generated  while 
expanding  p-function  application  terms. 

The  remainder  of  the  paper  is  organized  as  follows.  We  define  the  syntax  and  semantics  of 
our  logic  by  extending  that  of  Burch  and  Dill’s.  We  prove  our  central  result  concerning  the  need 
to  consider  only  maximally  diverse  interpretations  when  deciding  the  validity  of  formulas  in  our 
logic.  As  a  first  step  in  transforming  our  logic  into  propositional  logic,  we  describe  a  new  method 
of  eliminating  function  application  terms  in  a  formula.  Building  on  this,  we  describe  two  meth¬ 
ods  of  translating  formulas  into  propositional  logic  and  show  how  these  methods  can  exploit  the 
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term  ::=  ITEiJormula.  term,  term) 

|  function- symbol(  term, . . . ,  term) 

formula  ::=  true  |  false  |  -> formula 

|  ( formula  A  formula)  |  {formula  V  formula) 
|  {term  =  term) 

|  predicate -symbol (term, . . . ,  term) 


Figure  1:  Syntax  Rules  for  the  Logic  of  Equality  with  Uninterpreted  Functions  (EUF) 


properties  of  p-terms.  We  discuss  the  abstractions  required  to  model  processor  pipelines  in  our 
logic.  Finally,  we  present  experimental  results  showing  our  ability  to  verify  a  simple,  but  complete 
pipelined  processor. 


2  Logic  of  Equality  with  Uninterpreted  Functions  (EUF) 

The  logic  of  Equality  with  Uninterpreted  Functions  (EUF)  presented  by  Burch  and  Dill  [BD94] 
can  be  expressed  by  the  syntax  given  in  Figure  1 .  In  this  logic,  formulas  have  truth  values  while 
terms  have  values  from  some  arbitrary  domain.  Terms  are  formed  by  application  of  uninterpreted 
function  symbols  and  by  applications  of  the  ITE  (for  “if-then-else”)  operator.  The  ITE  operator 
chooses  between  two  terms  based  on  a  Boolean  control  value,  i.e.,  ITE(true,xux2)  yields  a1! 
while  ITE( false,  xi,x2)  yields  x2.  Formulas  are  formed  by  comparing  two  terms  with  equality, 
by  applying  an  uninterpreted  predicate  symbol  to  a  list  of  terms,  and  by  combining  formulas  using 
Boolean  connectives.  A  formula  expressing  equality  between  two  terms  is  called  an  equation.  We 
use  expression  to  refer  to  either  a  term  or  a  formula. 

Every  function  symbol  /  has  an  associated  order,  denoted  ord(f),  indicating  the  number  of 
terms  it  takes  as  arguments.  Function  symbols  of  order  zero  are  referred  to  as  domain  variables. 
We  use  the  shortened  form  v  rather  than  t>()  to  denote  an  instance  of  a  domain  variable.  Simi¬ 
larly,  every  predicate  p  has  an  associated  order  ord(p).  Predicates  of  order  zero  are  referred  to  as 
propositional  variables,  and  can  be  written  a  rather  than  a(). 

The  truth  of  a  formula  is  defined  relative  to  a  nonempty  domain  V  of  values  and  an  interpreta¬ 
tion  I  of  the  function  and  predicate  symbols.  Interpretation  I  assigns  to  each  function  symbol  of 
order  k  a  function  from  Vk  to  V,  and  to  each  predicate  symbol  of  order  k  a  function  from  Vk  to 
{true,  false}.  For  the  special  case  of  order  0  symbols,  i.e.,  domain  (respectively,  propositional) 
variables,  the  interpretation  assigns  an  element  of  V  (resp.,  {true,  false}.)  Given  an  interpreta¬ 
tion  I  of  the  function  and  predicate  symbols  and  an  expression  E,  we  can  define  the  valuation  of 
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Form  E 

Valuation  I[E] 

true 

false 

->jF 

F1AF2 
p(Ti,  -..,Tk) 

t,=t2 

true 

false 

-/[F] 

/[F,]  A  /[F2] 
HpMTi  ] . /[It]) 

m=m 

1TE(F,TuT2) 

J7E(/[F],/[ri],/[n]) 
iu)(i[Ti  m\) 

Table  1:  Evaluation  of  EUF  Formulas  and  Terms 


E  under  I,  denoted  I[E],  according  to  its  syntactic  structure.  The  valuation  is  defined  recursively, 
as  shown  in  Table  1.  I[E]  will  be  an  element  of  the  domain  when  E  is  a  term,  and  a  truth  value 
when  E  is  a  formula. 

A  formula  F  is  said  to  be  true  under  interpretation  I  when  I[F]  =  true.  It  is  said  to  be  valid 
over  domain  V  when  it  is  true  over  domain  V  for  all  interpretations  of  the  symbols  in  F.  F  is  said 
to  be  universally  valid  when  it  is  valid  over  all  domains.  A  basic  property  of  validity  is  that  a  given 
formula  is  valid  over  a  domain  T>  iff  it  is  valid  over  all  domains  having  the  same  cardinality  as  V. 
This  follows  from  the  fact  that  a  given  formula  has  the  same  truth  value  in  any  two  isomorphic 
interpretations  of  the  symbols  in  the  formula.  Another  property  of  the  logic,  which  can  be  readily 
shown,  is  that  if  F  is  valid  over  a  suitably  large  domain,  then  it  is  universally  valid  [Ack54].  In 
particular,  it  suffices  to  have  a  domain  as  large  as  the  number  of  syntactically  distinct  function 
application  terms  occurring  in  F.  We  are  interested  in  decision  procedures  that  determine  whether 
or  not  a  formula  is  universally  valid;  we  will  show  how  to  do  this  by  dynamically  constructing  a 
sufficiently  large  domain  as  the  formula  is  being  analyzed. 


3  Positive  Equality  with  Uninterpreted  Functions  (PEUF) 

We  can  improve  the  efficiency  of  validity  checking  by  treating  positive  and  negative  equations 
differently  when  reducing  EUF  to  propositional  logic.  Informally,  an  equation  is  positive  if  it  does 
not  appear  negated  in  a  formula.  In  particular,  a  positive  equation  cannot  appear  as  the  formula 
that  controls  the  value  of  an  ITE  term;  such  formulas  are  considered  to  appear  both  positively  and 
negatively. 
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g-term  ::=  ITE  formula.  g-term,  g-term) 

|  g-function-symbol(p-term , . . .  ,  p-term) 

p-term  ::=  g-term 

|  ITE(formula, p-term,  p-term) 

|  p-function-symbol{p-term, . . . , p-term) 

formula  ::=  true  |  false  |  -[ formula 

|  (formula  A  formula)  \  (formula  V  formula) 

|  (g-term = g-term) 

|  predicate-symbol(p-term, . . . ,  p-term) 
p-formula  ::=  formula 

|  (p-formula  A  p-formula)  |  ( p-formula  V  p-formula) 

|  (p-term = p-term) 

Figure  2:  Syntax  Rules  for  the  Logic  of  Positive  Equality  with  Uninterpreted  Functions  (PEUF) 
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3.1  Syntax 


PEUF  is  an  extended  logic  based  on  EUF;  its  syntax  is  shown  in  Figure  2.  The  main  idea  is 
that  there  are  two  disjoint  classes  of  function  symbols,  called  p-function  symbols  and  g-function 
symbols,  and  two  classes  of  terms. 

General  terms,  or  g-terms,  correspond  to  terms  in  EUF.  Syntactically,  a  g-term  is  a  g-function 
application  or  an  ITE  term  in  which  the  two  result  terms  are  hereditarily  built  from  g-function 
applications  and  ITEs. 

The  new  class  of  terms  is  called  positive  terms,  or  p-terms.  P-terms  may  not  appear  in  negated 
equations,  i.e.,  equations  within  the  scope  of  a  logical  negation.  Since  p-terms  can  contain  p- 
function  symbols,  the  syntax  is  restricted  in  a  way  that  prevents  p-terms  from  appearing  in  negative 
equations.  When  two  p-terms  are  compared  for  equality,  the  result  is  a  special,  restricted  kind  of 
formula  called  a  p-formula. 

Note  that  our  syntax  allows  any  g-term  to  be  “promoted”  to  a  p-term.  Throughout  the  syntax 
definition,  we  require  function  and  predicate  symbols  to  take  p-terms  as  arguments.  However, 
since  g-terms  can  be  promoted,  the  requirement  to  use  p-terms  as  arguments  does  not  restrict  the 
use  of  g-function  symbols  or  g-terms.  In  essence,  g-function  symbols  may  be  used  as  freely  in  our 
logic  as  in  EUF,  but  the  p-function  symbols  are  restricted.  To  maintain  the  restriction  on  p-function 
symbols,  the  syntax  does  not  permit  a  p-term  to  be  promoted  to  a  g-term. 

A  formula  of  the  extended  logic  is  a  Boolean  combination  of  equations  on  g-terms  and  appli¬ 
cations  of  predicate  symbols.  Formulas  in  our  logic  serve  as  Boolean  control  expressions  in  ITE 
terms.  A  formula  can  contain  negation,  and  ITE  implicitly  negates  its  Boolean  control,  so  only 
g-terms  are  allowed  in  equations  in  formulas.  Since  a  predicate  formula  p(Tu ... ,  Tfc),  where  p 
is  a  predicate  symbol  and  the  T*  are  terms,  is  not  an  equation,  we  allow  the  terms  in  predicate 
formulas  to  be  chosen  from  the  largest  class  of  terms,  namely  the  p-terms. 

Finally,  the  syntactic  class  p-formula  is  the  class  for  which  we  develop  validity  checking  meth¬ 
ods.  P-formulas  are  built  up  using  only  the  monotonically  positive  Boolean  operations  A  and  V. 
P-formulas  may  not  be  placed  under  a  negation  sign,  and  cannot  be  used  as  the  control  for  an  ITE 
operation.  As  described  in  later  sections,  our  validity  checking  methods  will  take  advantage  of  the 
assumption  that  in  p-formulas,  the  p-terms  cannot  appear  in  negative  equations. 

Observe  that  PEUF  does  not  extend  the  expressive  power  of  EUF — we  could  translate  any 
PEUF  expression  into  EUF  by  considering  the  g-terms  and  p-terms  to  be  terms  and  the  p-formulas 
to  be  formulas.  Instead,  the  benefit  of  PEUF  is  that  by  distinguishing  some  portion  of  a  formula  as 
satisfying  a  restricted  set  of  properties,  we  can  radically  reduce  the  number  of  different  interpreta¬ 
tions  we  must  consider  when  proving  that  a  p-formula  is  universally  valid. 

As  a  running  example  for  this  paper,  we  consider  the  formula  x  =  y  h(g(x),g(g(x)))  = 
Hg(y),g(g(x))),  Which  would  be  transformed  into  a  p-formula  Feg  by  eliminating  the  implication: 

Feg  =  i( x  =  y )  V  h(g(x),g(g(x)))  =  h(g(y),g(g(x)))  (1) 
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Figure  3:  Schematic  Representation  of  Feg.  Domain  values  are  shown  as  solid  lines,  while  truth 
values  are  shown  as  dashed  lines. 


Domain  variables  x  and  y  must  be  g-function  symbols  so  that  we  can  consider  the  equation  x  —  y 
to  be  a  formula,  and  hence  it  can  be  negated  to  give  formula  ->(x  =  y).  We  can  promote  the  g- 
terms  x  and  y  to  p-terms,  and  we  can  consider  function  symbols  g  and  h  to  be  p-function  symbols, 
giving  p-terms  g(x),  g(y),  g(g(x)),  h(g(x),g{g{x))),  and  h{g{y)1g{g(x))).  Thus,  the  equation 
h{g(x),g{g{x)))  =  h(g(y),g(g(x)))  is  a  p-formula.  We  form  the  disjunction  of  this  p-formula 
with  the  p-formula  obtained  by  promoting  ->(x  =  y)  giving  p-formula  Feg. 

Figure  3  shows  a  schematic  representation  of  Feg,  using  drawing  conventions  similar  to  those 
found  in  hardware  designs.  That  is,  we  view  domain  variables  as  inputs  (shown  along  bottom)  to 
a  network  of  operators.  Domain  values  are  denoted  with  solid  lines,  while  truth  values  are  denoted 
with  dashed  lines.  The  top-level  formula  then  becomes  the  network  output,  shown  on  the  right. 
The  operators  in  the  network  are  shared  whenever  possible.  This  representation  is  isomorphic  to 
the  traditional  directed  acyclic  graph  (DAG)  representation  of  an  expression,  with  maximal  sharing 
of  common  subexpressions. 


3.2  Diverse  Interpretations 

Let  T  be  a  set  of  terms,  where  a  term  may  be  either  a  g-term  or  a  p-term.  We  consider  two  terms  to 
be  distinct  only  if  they  differ  syntactically.  An  expression  may  therefore  contain  multiple  instances 
of  a  single  term.  We  classify  terms  as  either  p-function  applications,  g-function  applications,  or 
ITE  terms,  according  to  their  top-level  operation.  The  first  two  categories  are  collectively  referred 
to  as  function  application  terms.  For  any  formula  or  p-formula  F,  define  T(F)  as  the  set  of  all 
function  application  terms  occurring  in  F. 

An  interpretation  I  partitions  a  term  set  T  into  a  set  of  equivalence  classes,  where  terms  7) 
and  T2  are  equivalent  under  I,  written  Ti  T2  when  7[2\]  =  I[T2).  Interpretation  V  is  said  to  be 
a  refinement  of  I  for  term  set  T  when  Tx  T2  =$>  7)  T2  for  every  pair  of  terms  Tx  and  T2 
in  T.  I'  is  a  proper  refinement  of  I  for  T  when  it  is  a  refinement  and  there  is  at  least  one  pair  of 
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11 

12 

{x,  y},  {0i}{&},  {&},  {hi},  {h2} 
{91,92},  {gz},  {M,  {h2} 

Inconsistent 

Inconsistent 

Cl 

C2 

{*}>  {y},  {91, 92},  { 93 },  {h,h2} 
{x,9z},  { y }, {01},  {g2},  {hi},  {h2} 

Diverse  w.r.t.  x,y,h 
Diverse  w.r.t.  y,  h 

D1 

D2 

"M?  {y}r  {91},  { 92 },  {#3},  {^1},  {h2} 
y},  {91, 92},  {#3},  {hi,  h2) 

Diverse  w.r.t.  x,  y,  g,  h 
Diverse  w.r.t.  g,  h 

Table  2:  Example  Partitionings  of  Terms  x,  y,  gl  =  g(x),  g2  =  g(y),  g3  =  g(g(x  j),  hi  = 
h(g(x),g(g(x))),andh2  =  h(g(y),g(g(x))). 

terms  Ti,  T2  <E  T  such  that  7\  T2,  but  T}  T2. 

Let  S  denote  a  subset  of  the  function  symbols  in  formula  F.  An  interpretation  I  is  said  to  be 
diverse  for  F  with  respect  to  E  when  it  provides  a  maximal  partitioning  of  the  function  application 
terms  in  T(F)  having  a  top-level  function  symbol  from  E  relative  to  each  other  and  to  the  other 
function  application  terms,  but  subject  to  the  constraints  of  functional  consistency.  That  is,  for  Ti 
of  the  form  / (Tltl , . . . ,  Ti,*),  where  /  £  E,  an  interpretation  I  is  diverse  with  respect  to  E  if  I  has 
Ti  T2  only  in  the  case  where  T2  is  also  a  term  of  the  form  /(T2,i,  •  •  • ,  T^),  and  7i>8-  T2:i 
for  all  i  such  that  1  <  i  <  k.  If  we  let  EP(F)  denote  the  set  of  all  p-function  symbols  in  F,  then 
interpretation  /  is  said  to  be  maximally  diverse  when  it  is  diverse  with  respect  to  E P(F).  Note  that 
this  property  requires  the  p-function  application  terms  to  be  in  separate  equivalence  classes  from 
the  g-function  application  terms. 

As  an  example,  consider  the  p-formula  Fe g  given  in  Equation  1.  There  are  seven  distinct 
function  application  terms  identified  as  follows: 


X 

y 

9i 

92  , 

93 

hi 

h2 

X 

y 

g{x) 

g(y) 

g(g(x )) 

h{g(x),g(g(x))) 

h(g(y),g{g(x))) 

Table  2  shows  6  of  the  877  different  ways  to  partition  seven  objects  into  equivalence  classes.  Many 
of  these  violate  functional  consistency.  For  example,  the  partitioning  II  describes  a  case  where  x 
and  y  are  equal,  but  g{x)  and  g{y)  are  not.  Similarly,  partitioning  12  describes  a  case  where  g(x) 
and  g(y)  are  equal,  but  h(g(x),g(g(x)))  and  h(g(y),g(g(x)))  are  not. 

Eliminating  the  inconsistent  cases  gives  384  partitionings.  Many  of  these  do  not  arise  from 
maximally  diverse  interpretations,  however.  For  example,  partitioning  Cl  arises  from  an  inter¬ 
pretation  that  is  not  diverse  with  respect  to  g,  while  partitioning  C2  arises  from  an  interpretation 
that  is  not  diverse  with  respect  to  h.  In  fact,  there  are  only  two  partitionings:  D1  and  D2  that 
arise  from  maximally  diverse  interpretations.  Partition  D1  corresponds  to  an  interpretation  that 
is  diverse  with  respect  to  all  of  its  function  symbols.  Partition  D2  is  diverse  with  respect  to  both 
g  and  h,  even  though  terms  gi  and  g2  are  in  the  same  class,  as  are  hi  and  h2.  Both  of  these 
groupings  are  forced  by  functional  consistency:  having  x  =  y  forces  g(x)  =  g(y),  which  in  turn 
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forces  h(g(x),  g{g(x)))  =  h(g(y), g(g(x ))).  Since  g  and  h  are  the  only  p-function  symbols,  D2  is 
maximally  diverse.  „ 

Theorem  1  A  p-formula  F  is  universally  valid  if  and  only  if  it  is  true  in  all  maximally  diverse 
interpretations. 


First,  it  is  clear  that  if  F  is  universally  valid,  F  is  true  in  all  maximally  diverse  interpretations. 
We  prove  via  the  following  two  lemmas  that  if  F  is  true  in  all  maximally  diverse  interpretations  it 
is  universally  valid. 

Lemma  1  If  interpretation  J  is  not  maximally  diverse  for  p-formula  F,  then  there  is  an  interpre¬ 
tation  J'  that  is  a  proper  refinement  of  J  such  that  J'[F ]  =>  J\F). 


Proof:  Let  be  a  term  occurring  in  F  of  the  form  /i  (Thl, . . . ,  T1>kl ),  where  fx  is  a  p-function 
symbol.  Let  T2  be  a  term  occurring  in  F  of  the  form  f2{T2, i, . . . ,  T2th),  where  f2  may  be  either  a 
p-function  or  a  g-function  symbol.  Assume  furthermore  that  J[T\]  and  J[T2 ]  both  equal  2,  but  that 
either  symbols  /1  and  f2  differ,  or  J[Tlti]  f  J[T2f  for  some  value  of  i. 

Let  z'  be  a  value  not  in  T>,  and  define  a  new  domain  T>'  =  Pu  {z1}.  Our  strategy  is  to  construct 
an  interpretation  J'  over  V  that  partitions  the  terms  in  T(F)  in  the  same  way  as  J,  except  that  it 
splits  the  class  containing  terms  7\  and  T2  into  two  parts — one  containing  Tx  and  evaluating  to  z', 
and  the  other  containing  T2  and  evaluating  to  2. 

Define  function  h:  V  — >•  V  to  map  elements  of  V  back  to  their  counterparts  in  V,  i.e.,  h(z')  = 
z,  while  all  other  values  of  x  give  h(x)  equal  to  x. 

For  p-function  symbol  fi,  define  J'(.fi)  as: 


J'(fi)(xu...,xkl) 


z’,  h(xi )  =  «/[7i,i],  1  <  i  <  ki 

J{fi)(h{xi),...,h(xkl)),  otherwise 


For  other  function  and  predicate  symbols,  J'  is  defined  to  preserve  the  functionality  of  interpre¬ 
tation  J,  while  also  treating  argument  values  of  z'  the  same  as  2.  That  is,  J'{f)  for  function  symbol 
/  having  ord(f)  equal  to  k  is  defined  such  that  J'(f)(xu  ...,xk)  =  J(f)(h(x  1 ), . . . ,  h(xk)).  Sim¬ 
ilarly,  J'(p)  for  predicate  symbol  p  having  ord(p)  equal  to  k  is  defined  such  that  J'(p)(xi, . . . ,  xk)  = 
J(p)(h(x1),...,h(xk)). 

We  claim  the  following  properties  for  the  different  forms  of  subexpressions  occurring  in  F: 

1.  For  every  formula  G:  J'[G ]  =  J[G\ 

2.  For  every  g-term  T:  J'[T }  —  J[T ] 

3.  For  every  p-termT:  h{J'[T ])  =  J[T] 
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4.  For  every  p-formula  G:  J'[G]  =$■  J[G] 

5.  J'[Ti]  -  z'  and  J'[T2]  =  z. 

These  properties  can  be  proved  by  induction  on  the  expression  depths.  Informally,  interpreta¬ 
tion  J'  maintains  the  values  of  all  g-terms  and  formulas  as  occur  under  interpretation  J.  It  also 
maintains  the  values  of  all  p-terms,  except  those  in  the  class  containing  terms  7\  and  T2.  These 
p-terms  are  split  into  some  having  valuation  z  and  others  having  valuation  z' .  With  respect  to  p- 
formulas,  consider  first  an  equation  of  the  form  Si  =  S2  where  Si  and  S2  are  p-terms.  The  equation 
will  yield  the  same  value  under  both  interpretations  except  under  the  condition  that  Si  and  S2  are 
split  into  different  parts  of  the  class  that  originally  evaluated  to  z,  in  which  case  the  equation  will 
yield  true  under  J,  but  false  under  J'.  Thus,  although  this  equation  can  yield  different  values 
under  the  two  interpretations,  we  always  have  that  J'[Si  =  S2]  =$•  ,J[Si  =  S2\.  This  implication 
relation  is  preserved  by  conjunctions  and  disjunctions  of  p-formulas,  due  to  the  monotonicity  of 
these  operations. 

We  will  now  present  this  argument  formally.  We  define  the  depth  of  an  expression  E,  depth(E), 
in  the  familiar  way: 

1.  depth(  true)  =  depth  (false)  =  0. 

2.  depth{v )  =  0,  for  domain  variable  v. 

3.  depth  (a)  =  0,  for  propositional  variable  a. 

4.  For  any  other  expression  E,  depth(E)  is  given  by  1  plus  the  maximum  depth  of  a  subex¬ 
pression  in  E. 

We  prove  hypotheses  1  to  4  above  by  simultaneous  induction  on  the  depth  of  expressions: 

For  the  base  case  of  the  induction,  we  have: 

1.  Formula:  ./'[true]  =  J[true],  J'[false]  =  J  [false],  and  J'[a]  =  J[a ]  for  any  propositional 
variable  a. 

2.  G-term:  If  v  a  g-function  symbol  of  zero  order,  then  J'{v)  =  J(v). 

3.  P-term:  If  v  is  a  p-function  symbol  of  zero  order,  then  by  the  definition  of  J',  h(  J'(v))  = 
J{v). 

4.  P-formula:  same  as  formula. 

For  the  induction  case,  we  assume  that  the  inductive  hypotheses  1  through  4  hold  for  all  ex¬ 
pressions  of  depth  <  n,  and  show  that  the  hypotheses  hold  for  expressions  of  depth  n  +  1. 
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1.  Formula:  There  are  several  cases,  depending  on  the  form  of  G. 


(a)  Suppose  G  has  one  of  the  forms  Gi  AG2,  Gi  VG2,  where  G\  and  G2  are  formulas. 
By  the  inductive  hypothesis,  J'[Gi]  =  J[G\],  and  J'[G2]  =  J[G2).  It  follows  that 
J'hGi]  =  JhGx],  J'[Gi  A  G2]  =  J[Gi  A  G2],  and  J'[Gi  V  G2]  =  J[Gi  V  G2). 

(b)  Suppose  G  has  the  form  Si  =  S2,  where  5i ,  S2  are  g-terms.  By  the  inductive  hypothesis 
on  g-terms,  ./'[Si]  =  J[Si],  and  J'[S2]  =  J[S2],  It  follows  that  J'[S\  =  S2]  =  J[Si  - 
St]. 

(c)  The  remaining  case  is  that  G  is  a  predicate  application  of  the  form  p(Si, . . . ,  Sk),  where 
p  is  a  predicate  symbol  of  order  k,  and  Si,...,  Sk,  are  p- terms.  By  the  inductive 
hypothesis  for  p-terms,  we  have  h(J'[Si\)  =  J[Si],  for  i  =  1 . . .  k.  By  the  definition  of 

J', 

J'[p(Si,...,Sk)]  =  J'(P)(J'[S1},...,J'[Sk}) 

=  J(p)(h(J'{Si}),...,h(J'[Sk])) 

=  J{p)(J[Sl]i...tJ[Sk]) 

=  J\p(Si,...,Sk)]. 

2.  G-term:  There  are  two  cases. 


(a)  Suppose  T  has  the  form  ITE(G,  Si,S2),  where  G  is  a  formula,  and  Si  and  S2  are 
g-terms.  By  the  inductive  hypothesis,  we  have  J'[G]  =  J[G\,  J'[,5'i]  =  J[Si],  and 
J'[-S2]  =  J[52].Then  J'[TTE{G,Si,S2)]  =  J[ITE{G,Si,S2)\. 

(b)  Suppose  T  has  the  form  f(Si,...,  Sk),  where  /  is  a  g-function  symbol  of  order  k 
and  Si,...,Sk  are  p-terms.  By  the  inductive  hypothesis,  A (./'[, S’,])  =  J[,5',],  for  i  = 
1 , . . . ,  k.  Then  we  have, 


J’[f(Su...,Sk)} 


Af)(J1Si],  —  ,J'[Sk]) 
J(f)(h(J'[Si]),...,h(J'[Sk])) 

J{f(Su...,St)]. 


3.  P-term:  There  are  three  cases. 


(a)  Suppose  T  is  a  g-term.  By  the  inductive  hypothesis,  J'[T ]  =  J[T\.  Since  J[T]  cannot 
be  equal  to  z',  it  must  be  the  case  that  h(J'[T])  =  J[T]. 

(b)  Suppose  T  has  the  form  ITE(G,  Si,  S2),  where  G  is  a  formula,  and  Si  and  S2  are  p- 
terms.  By  the  inductive  hypothesis,  J'[G]  =  J[G],  h(J'[Si})  =  J[.S'i],  and  h(J'[S2]  = 
J[52]).  It  follows  that 

h{J'[ITE(G,Si,S2)])  =  if  J'[G\  then  h^Si])  else  /i(J'[52]) 

=  if  J[G]  then  J[Si]  else  J[52] 

=  J[ITE(G,Si,S2)]. 
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(c)  Suppose  that  T  has  the  form  f(Sx , . . . ,  Sk),  where  /  is  a  p-function  symbol  of  order  k 
and  Si, ,  Sk  are  p-terms.  Here,  we  have  to  consider  two  cases.  The  first  case  is  that 
the  following  two  conditions  hold:  (1)  /  is  the  function  symbol  fx,  i.e.,  the  function 
symbol  of  the  term  Tx  mentioned  at  the  beginning  of  the  proof  of  this  lemma,  and  (2) 
h(Si)  =  J[TU],  for  1  <  i  <  k.  If  these  two  conditions  hold,  then  by  the  definition  of 
J',  J'[fi{Si, . . . ,  Sk)]  =  z' ,  while  J[fx(Sx, . . . ,  S'*)]  =  z.  Since  h(z')  =  z,  we  have 

>>(J'\fi(Si,-.,Sk)])  =  Jlf,(Si,...,Si)]. 

Now  we  consider  the  case  that  one  of  the  two  conditions  mentioned  above  does  not 
hold.  The  proof  of  this  case  is  identical  to  the  proof  of  case  2(b)  above. 

4.  P-formula:  There  are  three  cases. 

(a)  If  the  p-formula  G  is  a  formula,  then  by  the  inductive  hypothesis,  J'[G\  =  J[G],  so 
J'[G]^J[G). 

(b)  Suppose  G  has  one  of  the  forms  Gx  A  G2,  or  Gi  V  G2,  where  GX,G2  are  p-formulas. 

By  the  inductive  hypothesis,  J'[GX]  =4>  J[GX],  and  J'[G2]  J[G2 j.  Thus  we  have 

J'[Gi  A  G2]  =  J'[Gi]  A  J'[G2] 

=*  J[Gi]  A  J[G2] 

=  J[G1AG2], 

so  J'[Gi  A  G2]  =4>  J[GX  A  G2\.  The  proof  for  Gx  V  G2  is  the  same. 

(c)  Finally,  we  consider  the  case  that  G  is  a  p-formula  of  the  form  Sx  =  S2,  where  Sx 
and  S2,  are  p-terms.  By  the  inductive  hypothesis,  we  have  that  if  J'[S)]  =  z',  then 
J[Si\  =  z,  for  i  =  1, 2.  Also,  by  the  definition  of  h,  we  have  that  if  J’[Si]  does  not 
equal  z',  then  J'[Si]  =  J[Si\.  Now,  we  consider  cases  depending  on  whether  J'[SX] 
or  J'[S2 ]  are  equal  to  z'.  If  both  terms  are  equal  to  z'  in  J',  then  both  J[SX]  and  J[S2] 
must  be  equal  to  z,  so  the  equation  is  true  in  both  J'  and  J.  If  neither  J'[SX]  nor  J'[S2 ] 
is  equal  to  z',  then  J'[5i]  =  J[SX]  and  J'[S2\  =  J[S2],  so  the  equation  has  the  same 
truth  value  in  J'  and  J.  The  last  case  is  that  exactly  one  of  the  p-terms  is  equal  to  z'  in 
J'.  In  this  case,  the  equation  is  false  in  J',  so  we  have  J'[G)  =>■  J[G).  This  completes 
the  inductive  proof. 

Property  5  above,  which  implies  that  J'  is  a  proper  refinement,  is  a  consequence  of  the  defi¬ 
nition  of  J'  and  the  inductive  properties  2  and  3.  First,  we  show  that  J'[TX\  =  z'.  By  definition, 

J'[TX]  =  J,(/1)(J/[Ti,i], . . . ,  J'[TXtkl]).  By  property  3  on  p-terms,  we  can  assume  h(J'[TXii ])  = 
J[Tx,i],  for  all  i  in  the  range  1  <  i  <  kx.  By  the  definition  of  J'(/i),  we  have  J'(fx){J'[TltX], . . . ,  J'[Tlifcl]) 
z' . 

The  proof  that  J'[T2 ]  =  z  is  in  two  cases,  depending  on  whether  Tx  and  T2  are  applications  of 
the  same  function  symbol. 
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1.  First,  consider  the  case  that  Tx  =  fx  {ThU . . . ,  Thkl )  and  T2  =  f2(T2, 1, . . . ,  T2f*2),  where  /i 
and  f2  are  different  function  symbols.  In  this  case, 

J'[T»]  =  J'{f2)(J'[T2,i],...,J'[T3th]) 

=  J(f2){h{J'[T2,i]), . . . ,  h(J'[T2tk2])), by  the  definition  of  J'(f2) 

=  J(f2)(J[T2, 1], . . . ,  J[T2ik2]), by  the  inductive  hypothesis 

=  J[/2(T2,  . . T2M)] 

—  2. 


2.  Finally,  we  have  the  case  that  fi  and  f2  are  the  same  function  symbol,  and  there  is  some 
value  of  l  with  1  <  l  <  ki,  such  that  J[Tij]  does  not  equal  J[T2j}.  Here,  we  have: 

J'[h(T2.u . . . ,  T2M)\  =  J\h){J'[T2, i], . . . ,  J'[T2tk2]) 

By  property  3,  h(J'[T2ti ])  =  J[T2i!],  for  all  i  such  that  1  <  i  <  h.  Since  J[Tij]  does  not 
equal  J[T2j],  the  value  of  the  above  apphcation  of  J'(fi)  is: 

J'{fi)(J'[T2,i], . . . ,  J'[T2M])  =  J(fi)(h(J'[T2'i]), h(J'[T2M ])) 

=  J(h){J[T2yl],...,J[T2M}) 

=  «/[/i(T2,  . . T2,a-2)] 


□ 


Lemma  2  For  any  interpretation  I  and  p-formula  F,  there  is  a  maximally  diverse  interpretation 
r  for  F  such  that  I* [F]  =*•  I[F\. 


Proof:  Starting  with  interpretation  70  equal  to  /,  we  define  a  sequence  of  interpretations 
/o,  hi  •  • .  by  repeatedly  applying  the  construction  of  Lemma  1.  That  is,  we  derive  each  inter¬ 
pretation  Ii+ 1  from  its  predecessor  /,  by  letting  J  =  f  and  letting  Ii+l  =  J'.  Interpretation 
/»+ 1  is  a  proper  refinement  of  its  predecessor  It  such  that  7!+1[F]  7,-[F].  At  some  step  n,  we 

must  reach  a  maximally  diverse  interpretation  7n,  because  our  set  T(F)  is  finite  and  therefore 
can  only  be  properly  refined  a  finite  number  of  times.  We  then  let  7*  be  7„.  We  can  see  that 
7*[F]  =  In[F]  =>  •  •  •  =>  70[F]  =  7[F],  and  hence  7*[F]  =>•  7[F].  □ 

The  completion  of  the  proof  of  Theorem  1  follows  directly  from  Lemma  2.  That  is,  if  we  start 
with  any  interpretation  7  for  p-formula  F,  we  can  construct  a  maximally  diverse  interpretation  7* 
such  that  7*[F]  =$■  I[F].  Assuming  F  is  true  under  all  maximally  diverse  interpretations,  7*[F] 
must  hold,  and  since  7*[F]  =>  7[F],  7[F]  must  hold  as  well. 
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3.3  Exploiting  Positive  Equality  in  a  Decision  Procedure 

A  decision  procedure  for  PEUF  must  determine  whether  a  given  p-formula  is  universally  valid. 
The  procedure  can  significantly  reduce  the  range  of  possible  interpretations  it  must  consider  by 
exploiting  the  maximal  diversity  property.  Theorem  1  shows  that  we  can  consider  only  interpreta¬ 
tions  in  which  the  values  produced  by  the  application  of  any  p-function  symbol  differ  from  those 
produced  by  the  applications  of  any  other  p-function  or  g-function  symbol.  We  can  therefore  con¬ 
sider  the  different  p-function  symbols  to  yield  values  over  domains  disjoint  with  one  another  and 
with  the  domain  of  g-function  values.  In  addition,  we  can  consider  each  application  of  a  p-function 
symbol  to  yield  a  distinct  value,  except  when  its  arguments  match  those  of  some  other  application. 


4  Eliminating  Function  Applications 

Most  work  on  transforming  EUF  into  propositional  logic  has  used  the  method  described  by  Ack- 
ermann  to  eliminate  applications  of  functions  of  nonzero  order  [Ack54].  In  this  scheme,  each 
function  application  term  is  replaced  by  a  new  domain  variable  and  constraints  are  added  to  the 
formula  expressing  functional  consistency.  Our  approach  also  introduces  new  domain  variables, 
but  it  replaces  each  function  application  term  with  a  nested  ITE  structure  that  directly  captures  the 
effects  of  functional  consistency.  As  we  will  show,  our  approach  can  readily  exploit  the  maximal 
diversity  property,  while  Ackermann’s  cannot. 


4.1  Function  Application  Elimination  Example 


We  demonstrate  our  technique  for  replacing  function  applications  by  domain  variables  using 
p-formula  Feg  (Equation  1)  as  an  example,  as  illustrated  in  Figure  4.  First  consider  the  three 
applications  of  function  symbol  g :  g(x),  g(y),  and  g(g(x)),  which  we  identify  as  terms  Tu  T2,  and 
T3,  respectively.  Let  vg1,  vg2,  and  vg3  be  new  domain  variables.  We  generate  new  terms  Uu  U2, 
and  Uz  as  follows: 


Ui  =  vg1  (2) 

U2  =  ITE(y  =  x,vg1,vg2) 

Uz  =  ITEivgi  =  x,  vguITE(vgi  =  y,  vg2,  vg3 )) 

Observe  that  we  use  variable  vgi,  the  translation  of  g(x),  to  represent  the  argument  to  the  outer 
application  of  function  symbol  g  in  the  term  g(g(x)).  In  general,  we  must  always  process  nested 
applications  of  a  given  function  symbol  working  from  the  innermost  to  the  outermost.  Given 
terms  U\,  U2,  and  U3,  we  eliminate  the  function  applications  by  replacing  each  instance  of  Tt  in 
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Initial  formula: 


x  y 

After  removing  applications  of  function  symbol  g: 


x  y  vg2vg3 

After  removing  applications  of  function  symbol  h: 


x  y  %  vg2vg3  vh{vh2 

Figure  4:  Removing  Function  Applications  from  Feg. 


16 


mi 

nu3] 

{x},{y}Agix)} 

1 

2 

3 

{r,j/},{^(r)} 

1 

1 

3 

{x},{y,g{z)} 

1 

2 

2 

1 

2 

1 

{x,y,g(x)} 

1 

1 

1 

Table  3:  Possible  valuations  of  terms  in  Equation  2  when  each  variable  vgi  is  assigned  value  i. 


the  formula  by  Ul  for  1  <  i  <  3,  as  shown  in  the  middle  part  of  Figure  4.  We  use  multiplexors  in 
our  schematic  diagrams  to  represent  ITE  operations. 

Observe  that  as  we  consider  interpretations  with  different  values  for  variables  vgx,  vg2,  and  vg3 
in  Equation  2,  we  implicitly  cover  all  values  that  an  interpretation  of  function  symbol  g  in  formula 
Fe g  may  yield  for  the  three  arguments.  The  nested  ITE  structure  shown  in  Equation  2  enforces 
functional  consistency.  For  example.  Table  3  shows  the  possible  valuations  of  the  three  terms  of 
Equation  2  for  an  interpretation  I*  assigning  values  1,  2,  and  3  to  domain  variables  vgv  vg2,  and 
vg3,  respectively.  For  each  possible  partitioning  by  /*  of  arguments  x,  y,  and  g(x)  into  equivalence 
classes,  we  get  matching  valuations  precisely  for  equivalent  arguments. 

We  remove  the  two  applications  of  function  symbol  h  by  a  similar  process.  That  is,  we  intro¬ 
duce  two  new  domain  variables  vh\  and  vh2.  We  replace  the  first  application  of  h  by  vhi  and  the 
second  by  an  ITE  term  that  compares  the  arguments  of  the  two  function  applications,  yielding  vh\ 
if  they  are  equal  and  vh2  if  they  are  not.  The  final  form  is  illustrated  in  the  bottom  part  of  Figure 
4.  The  translation  of  predicate  applications  is  similar,  introducing  a  new  propositional  variable  for 
each  application.  After  removing  all  applications  of  function  and  predicate  symbols  of  nonzero 
order,  we  are  left  with  a  formula  F*g  containing  only  domain  and  propositional  variables. 


4.2  Algorithm  for  Eliminating  Function  and  Predicate  Applications 

The  general  translation  procedure  follows  the  form  shown  for  our  example.  It  iterates  through  the 
function  and  predicate  symbols  of  nonzero  order.  On  each  iteration  it  eliminates  all  occurrences  of 
a  given  symbol.  At  the  end  we  are  left  with  a  formula  containing  only  domain  and  propositional 
variables. 

The  following  is  a  detailed  description  of  the  process  required  to  eliminate  all  instances  of  a 
single  function  symbol  /  having  order  k  >  0  from  a  formula  G.  We  use  the  variant  of  formula 
Feg  shown  schematically  at  the  top  of  Figure  5.  In  this  variant,  we  have  replaced  function  symbol 
g  with  /.  In  the  sequel,  if  E  is  an  expression  and  T  and  U  are  terms,  we  will  write  E[T  U] 
for  the  result  of  substituting  U  for  each  instance  of  T  in  E.  Let  Tj , . . . ,  Tn  denote  the  syntactically 
distinct  terms  occurring  in  formula  G  having  the  application  of  /  as  the  top  level  operation.  We 
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refer  to  these  as  “/-application”  terms.  Let  the  arguments  to  /  in  /-application  term  Tt  be  the  terms 
Si, i,  •  •  • ,  Sitk,  so  that  Ti  has  the  form  f(SiA,. . . ,  5f|fc).  Assume  the  terms  Tu  . . . ,  Tn  are  ordered 
such  that  if  Tt  occurs  as  a  subexpression  of  Tj  then  i  <  j.  In  our  example  the  /-application  terms 
are:  E  =  f(x),  T2  =  f(y)  and  T3  =  f(f(x)).  These  terms  have  arguments:  S/i  =  x,  S2 1  =  y, 
and  S'3,1  =  f(x). 

The  translation  processes  the  /-apphcation  terms  in  order,  such  that  on  step  i  it  replaces  all 
occurrences  of  the  ?'th  application  of  function  symbol  /  by  a  nested  ITE  term.  Let  vf1,...,vfn 
be  a  new  set  of  domain  variables  not  occurring  in  F.  We  use  these  to  encode  the  possible  values 
returned  by  the  /-application  terms. 

For  any  subexpression  E  in  G  define  its  integer-valued  /-order,  denoted  of(E),  as  the  highest 
index  i  of  an  /-application  term  T,  occurring  in  E.  If  no  /-application  terms  occur  in  E,  its  /-order 
is  defined  to  be  0.  By  our  ordering  of  the  /-application  terms,  any  argument  Shi  to  /-application 
term  Ti  must  have  oj(Sij)  <  oj{Ti),  and  therefore  o/(Tj)  =  i.  For  example,  the  contour  lines 
shown  in  Figure  5  partition  the  operators  according  to  their  /-order  values. 

The  transformations  performed  in  replacing  applications  of  function  symbol  /  can  be  expressed 
by  defining  the  following  recurrence  for  any  subexpression  E  of  G: 

£(°)  =  E 

E(i)  =  £(*'-!) [T^’-1)  4-  Ui],  1  <  i  <  n  (3) 

E  =  E^m\  where  rn  =  oj(E) 

In  this  equation,  term  T/4_1)  is  the  form  of  the  ith  /-application  term  Tt  after  all  but  the  topmost 
apphcation  of  /  have  been  eliminated.  Term  Ui  is  a  nested  ITE  structure  encoding  the  possible 
values  returned  by  T,  while  enforcing  its  consistency  with  earlier  applications.  U,  does  not  contain 
any  applications  of  function  symbol  /.  For  a  subexpression  E  with  of(E)  =  m,  its  form  E{m) 
will  contain  no  applications  of  function  symbol  /.  We  denote  this  form  as  E.  Observe  that  for  any 
*  >  <>f(E),  term  T/8_1)  does  not  occur  in  E{i\  and  hence  E^  =  E  for  all  1  >  of(E).  Observe 
also  that  for  /-apphcation  term  T,  we  have  E  =  =  Ui. 

U  is  defined  in  terms  of  a  recursively-defined  term  Vij  as  follows: 

Vi,i  =  vfi,  1  <  i  <  n 

=  ITE(Cij,  vf  j,  Vij+i),  1  <j<i<n  (4) 

Ui  =  1  <  i  <  n 

where  for  each  j  <  i,  formula  Cij  is  true  iff  the  (transformed)  arguments  to  the  top-level  apphca¬ 
tion  of  /  in  the  terms  T,  and  Tj  have  the  same  values: 

CG  =  A  Si,i  =  Sjti  (5) 

l</<* 

Observe  that  the  recurrence  of  Equation  4  is  well-defined,  since  for  all  argument  terms  of  the  form 
Sj,i  f°r  1  G  j  <  i  and  1  <  l  <  k,  we  have  Of(Sjj)  <  i,  and  hence  terms  of  the  form  Sjj  and 
as  well  as  term  Kj+i  are  available  when  we  define  Vij. 
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The  lower  part  of  Figure  5  shows  the  result  of  removing  the  three  applications  of  /  from  our 
example  formula.  First,  we  have  U\  =  vf1 ,  giving  translated  function  arguments:  S'1,1  =  x, 
S2,i  =  y,  and  63,1  =  vf1.  The  comparison  formulas  are  then:  C2,i  =  (y  =  x),  C3il  =  (vft  =  x), 
and  63,2  =  (vf  1  =  y).  From  these  we  get  translated  terms: 

U2  =  ITE(y=x,vf1,vf2 ) 

U3  =  ITE(vf1=x,vfl,ITE(vf1=y,vf2,vf3)) 

We  can  see  that  formula  G  =  will  no  longer  contain  any  applications  of  function  symbol 
/.  We  will  show  that  G  is  universally  valid  if  and  only  if  (S'  is. 

In  the  following  correctness  proofs,  we  will  use  a  fundamental  principle  relating  syntactic 
substitution  and  expression  evaluation: 

Proposition  1  For  any  expression  E,  pair  of  terms  T,  U,  and  interpretation  I  of  all  of  the  symbols 
in  E,  T,  and  U,  if  I[T]  =  I[IJ }  then  I[E[T  <-  U]\  =  I[E}. 

We  will  also  use  the  following  characterization  of  Equation  4.  For  value  i  such  that  1  < 
i  <  n  and  for  interpretation  I  of  the  symbols  in  U, ,  we  define  the  least  matching  value  of  i 
under  interpretation  I,  denoted  Imi(i),  as  the  minimum  value  j  in  the  range  1  <i<  i  such  that 
I[Sjj]  =  I[Stj]  for  all  l  in  the  range  1  <  /  <  k.  Observe  that  this  value  is  well  defined,  since  i 
forms  a  feasible  value  for  j  in  any  case. 

Lemma  3  For  any  interpretation  I,  I[Ui\  =  /(v/  -),  where  j  = 

Proof:  For  value  m  in  the  range  1  <  m  <  i  define  Im  1(771.  i)  as  the  minimum  value  of  j  in  the 
range  m  <  j  <  i  such  that  I[SJti\  =  I[Sij]  for  all  /  in  the  range  1  <  l  <  k.  By  this  definition 
lmi(i )  =  /m/(l,  i).  Observe  also  that  if  j  =  i)  then  I[Cij]  =  true.  In  addition,  for  any 

value  m!  in  the  range  m  <  in'  <  i,  if  lnij(m .  i)  >  m' ,  then  /m/(m,  i)  =  lm  j(m' ,  i). 

We  prove  by  induction  on  in  that  7[V^m]  =  I(vfj),  where  j  =  i).  The  base  case  of 

m  =  i  is  trivial,  since  lmj(i,  i )  =  i,  and  Vl3  =  vf,. 

Assuming  the  property  holds  for  m  +  1,  we  consider  two  possibilities.  First,  if  i)  =  m  , 

we  have  =  true,  and  hence  the  top-level  ITE  operation  in  V*iTO  (Equation  4)  will  select  its 

first  term  argument  vfm,  giving  /[Vf,m]  =  I(vfm).  On  the  other  hand,  if  /m/(m,  i)  >  m,  we  must 
have  I[Chm]  =  false,  and  hence  the  top-level  ITE  operation  in  V^j7n  will  select  its  second  term 
argument  Vi>m+1,  giving  I[V,,m]  =  /[K>+ 1],  which  by  the  inductive  hypothesis  equals  I(vfj)  for 
j  —  lmj(m  +  1 ,?).  Since  i)  >  m  +  1,  we  must  also  have  i )  =  /m/(m  +  1,  i),  and 

hence  I[Vi,m]  =  where  j  = 

Since  Ui  is  defined  as  K\i>  our  induction  argument  proves  that  I[U%)  =  I(vfj)  for  j  = 
/mjr(l,  i)  =  lmj(i).  □ 
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Lemma  4  Any  interpretation  J  of  the  symbols  in  G  can  be  extended  to  an  interpretation  J  of  the 
symbols  in  both  G  and  G  such  that  for  every  subexpression  E  of  G,  J[E]  =  J[E ]  =  J[E}. 


Proof:  We  provide  a  somewhat  more  general  construction  of  J  than  is  required  for  the  proof 
of  this  lemma  in  anticipation  of  using  this  construction  in  the  proof  of  Lemma  6.  Given  J  defined 
over  domain  V,  we  define  J  over  a  domain  T>  such  that  t>  DT>. 

We  define  j  for  the  function  and  predicate  symbols  occurring  in  G  based  on  their  definitions  in 
J .  For  any  function  symbol  /  in  G  having  ord(f)  =  k,  and  any  argument  values  xi  ,...,xk  €  T>, 
we  define  J  (f)(xi, . . . ,  xk\  =  J  (f)(x  i, . . . ,  xk).  For  argument  values  xi,...,xk  €  V  such  that 
for  some  i,  X{  £  V,  we  let  J (f)(x i, . . . ,  xk)  be  an  arbitrary  domain  value.  Similarly,  for  predicate 
symbol  p,  we  define  J (p)  to  yield  the  same  value  as  J{p)  for  arguments  in  D  and  to  yield  an 
arbitrary  truth  value  when  at  least  one  argument  is  not  in  V. 

One  can  readily  see  that  J[E]  —  J[E]  for  every  subexpression  E  of  G.  This  takes  care  of 
the  second  equality  in  the  statement  of  the  lemma,  and  hence  we  can  concentrate  on  the  relation 
between  J[E]  and  J[E]  for  the  remainder  of  the  proof. 

Recall  that  vf1,...,vfn  are  the  domain  variables  introduced  when  generating  the  nested  ITE 
terms  lh,...Un.  Our  strategy  is  to  define  interpretations  of  these  variables  such  that  each  Ut 
mimics  the  behavior  of  the  original  /-application  term  f  in  G. 

We  consider  two  cases.  For  the  case  where  Im j(i)  —  i,  we  define  J(t/4)  =  «7[Tt],  i.e.,  the 
value  of  the  /-application  term  in  G  under  J.  Otherwise,  we  let  ,  )  be  an  arbitrary  domain 
value — we  will  show  that  its  value  does  not  affect  the  valuation  of  any  expression  E  in  G  having  a 
counterpart  E  in  G. 

We  argue  by  induction  on  i  that  J[E^]  =  J[ E]  for  any  subexpression  E  of  G.  For  the  case 
where  of(E)  <  i,  this  hypothesis  implies  that  J[E]  =  j[E\.  The  base  case  of  i  -  0  is  trivial,  since 
E (°)  is  defined  to  be  E. 

Suppose  that  for  every  j  in  the  range  1  <  j  <  i  and  every  subexpression  D  of  G,  we  have 
J{D (j)]  =  J[D],  and  consequently  that  J[D]  =  J[D ]  for  the  case  where  of(D)  <  i.  We  must 
show  that  for  every  subexpression  E  of  G,  we  have  j[E^]  =  J[E\. 

We  first  focus  our  attention  on  term  Tt  in  G  and  its  counterpart  Ul  in  G,  showing  that  J[Ut]  = 
J[Ti\.  The  /-application  terms  for  all  j  such  that  j  <  i  have  oj(Tj )  =  j  <  i,  and  hence  we  can 
assume  that  J[Uj]  =  J[T3]  for  these  values  of  j.  Furthermore,  any  argument  S3j  to  an  /-application 
term  for  j  <  i  and  1  <  l  <  k  has  Of(Sjj)  <  j  <  i,  and  hence  we  can  assume  J[Sjti]  = 

We  consider  two  cases:  Imj(i)  =  i,  and  <  i.  In  the  former  case,  we  have  by  Lemma  3 

that  J[Ui]  =  J(vf  t).  Our  definition  of  J(vf  ,■)  gives  ./[[/]  =  J(vf  t)  =  J[Ti}.  Otherwise,  suppose 
that  Imj(i)  =  j  <  i.  Lemma  3  shows  that  J[Ut]  =  J(vf f.  We  can  see  that  lmj(j)  =  j, 
and  hence  J(vf })  is  defined  to  be  J[Tj ].  By  the  definition  of  Im  we  have  </[£?,/]  =  «/[£,•,/]  for 
1  <  l  <  k.  By  the  induction  hypothesis  we  have  J[Sjti\  =  J[Sjf,  since  of(SJti)  <  i,  and  similarly 
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that  J[Sij]  =  J[Siti\.  By  transitivity  we  have  J[Sjj]  =  J[Sij ]  for  all  /  such  that  1  <  /  <  k,  i.e.,  the 
arguments  to  /-application  terms  T:i  and  Tl  have  equal  valuations  under  J.  Function  consistency 
requires  that  J[Tj]  =  J[Tt].  From  this  we  can  conclude  that  J[Ui]  =  J[Uj ]  —  J[Tj]  =  J[Ti\. 
Combining  these  cases  gives  J[Ui]  =  J[Tt]. 

For  any  subexpression  E  its  form  differs  from  only  in  that  all  instances  of  term 

have  been  replaced  by  JJt.  We  have  just  argued  that  j[Ut]  =  J[Ti\,  and  by  the  induction 
hypothesis  we  have  that  =  J[Tt],  giving  by  transitivity  that  =  J[Ui\.  Proposi¬ 

tion  1  implies  that  J[E^\  =  j\E^~1')],  and  our  induction  hypothesis  gives  J[E^~^]  =  J[E].  By 
transitivity  we  have  J[E^)  =  J[E). 

To  complete  the  proof,  we  observe  that  our  induction  argument  implies  that  for  any  subexpres¬ 
sion  E  of  G,  =  J[E],  including  for  the  case  where  m  =  oj(E),  giving  j[E]  =  j[E^]  = 

J[E).  □ 

Lemma  5  Any  interpretation  J  of  the  symbols  in  G  can  be  extended  to  an  interpretation  J  of  the 
symbols  in  both  G  and  G  such  that  for  every  subexpression  E  of  G,  J[E ]  =  J[E]  =  J[E ] . 

Proof:  We  define  J  to  be  identical  to  J  for  any  symbol  occurring  in  G.  This  implies  that 
J[E]  =  J[E)  for  every  subexpression  E  of  G.  This  takes  care  of  the  second  equality  in  the 
statement  of  the  lemma,  and  hence  we  can  concentrate  on  the  relation  between  ,J[E]  and  J[E]  for 
the  remainder  of  the  proof. 

For  function  symbol  /,  we  define  J{f){x x, . . . ,  xk)  for  domain  elements  arx, . . . ,  xk  as  follows. 
Suppose  there  is  some  value  j  such  that  xi  =  for  all  /  such  that  1  <  l  <  k,  and  such  that 

j  =  lm  j(j).  Then  we  define  J(f)(x  i, . . . ,  xk)  to  be  J(vfj).  If  no  such  value  of  j  exists,  we  let 
J{f){% i, . .  • ,  a?*)  be  some  arbitrary  domain  value. 

We  argue  by  induction  on  i  that  J[E]  =  J[E^]  for  any  subexpression  E  of  G.  For  the  case 
where  oj(E)  <  i,  this  hypothesis  implies  that  J[E]  =  J[E\.  The  base  case  of  i  —  0  is  trivial,  since 
E is  defined  to  be  E. 

Suppose  that  for  every  j  in  the  range  1  <  j  <  i  and  every  subexpression  D  of  G,  we  have 
J[D]  =  J[D W],  and  consequently  that  J[D]  =  J[D ]  for  the  case  where  oj{D)  <  i.  We  must  show 
that  for  every  subexpression  E  of  G,  we  have  J[E]  =  J[E^]. 

We  focus  initially  on  term  Tt  in  G  and  its  counterpart  [/,  in  G,  showing  that  ,J[Tt]  —  J[Ui\ .  Any 
/-application  term  Tj  for  j  <  i  has  of(Tj)  =  j  <  i,  and  hence  we  can  assume  that  J[Tj]  =  J{Tj). 
Furthermore,  any  argument  Shi  to  an  /-application  term  for  j  <  i  and  1  <  /  <  k  has  oj{Shi)  < 
j  <  i,  and  hence  we  can  assume  that  J[Sjj]  =  J[Sjf. 

We  consider  two  cases:  lmj(i )  =  i,  and  Imj  (0  <  i.  In  the  former  case,  we  have  by  Lemma 
3  that  J[Ui\  =  J(i/,).  In  addition,  J(/)  is  defined  such  that  J[Tt]  =  ./(/)( J[5/i], . . . ,  J[5/a..])  = 
J(f)(J[Siii],...,J[Siik\)  =  J(vfi),  giving  J[Ti\  =  J(vft)  =  J[Ui}.  Otherwise,  suppose  that 
=  j  <  i.  Lemma  3  shows  that  J[Ut]  =  J{vf  ■).  We  can  see  that  lm  j(j)  =  j,  and  hence 
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J(f)  is  defined  such  that  J(f)(J[Sj,  1], . . . ,  J[Shk})  =  J(vfj).  For  any  l  such  that  1  <  l  <  k, 
we  also  have  by  the  definition  of  Im  that  J[5,y]  =  J[Stj}.  By  the  induction  hypothesis  we  have 
J[Sj,i]  =  J[S3:i],  since  Of(S)j)  <  i,  and  similarly  that  J[S.hi]  =  J[S\i}.  By  transitivity  we  have 
=  J[St,i],  i.e.,  the  arguments  to  /-application  terms  7)  and  T;  have  equal  valuations  under 
J.  Functional  consistency  requires  that  J[7)\  =  J[Ti\.  Putting  this  together  gives  J[T%]  =  J[T3\  = 

=  Af)(J[Sj,i),...,J[Sj,k\)  =  J(vfj)  =  J[Ui). 

For  any  subexpression  E  its  form  E(i)  differs  from  only  in  that  all  instances  of  term 

r/!  have  been  replaced  by  U%.  We  have  just  argued  that  J[Ti\  =  J[Ui\,  and  by  the  induction 
hypothesis  we  have  that  J[Tf ]  =  J[lf~1)],  giving  by  transitivity  that  =  J[Ui\.  Proposi¬ 

tion  1  implies  that  J[E^~^]  =  J[E^],  and  our  induction  hypothesis  gives  J[E]  =  J[E^~^].  By 
transitivity  we  have  J[E]  =  J[E^]. 

To  complete  the  proof,  we  observe  that  our  induction  argument  implies  that  for  any  subexpres¬ 
sion  E  of  G,  J[E]  =  J[E(m^],  including  for  the  case  where  m  =  Of(E),  giving  J[E]  =  = 

J[E).  □ 

An  application  of  a  predicate  symbol  having  nonzero  order  can  be  removed  by  a  similar  pro¬ 
cess,  using  newly  generated  propositional  variables  to  encode  the  possible  values  returned  by  the 
predicate  applications.  By  an  argument  similar  to  that  made  in  Lemma  4,  we  can  extend  an  in¬ 
terpretation  to  include  interpretations  of  the  propositional  variables  such  that  the  original  and  the 
transformed  formulas  have  identical  valuations.  Conversely,  by  an  argument  similar  to  that  made 
in  Lemma  5,  we  can  extend  an  interpretation  to  include  an  interpretation  of  the  original  predicate 
symbol  such  that  the  original  and  the  transformed  formulas  have  identical  valuations. 

Suppose  formula  F  contains  applications  m  different  function  and  predicate  symbols  of  nonzero 
order.  Starting  with  F0  =  F,  we  can  generate  a  sequence  of  formulas  F0,  Fi, . . . ,  Fm.  Each  for¬ 
mula  Fi  is  generated  from  its  predecessor  F_i  by  letting  G  -  Ft  and  Fi+i  =  G  in  our  technique 
to  eliminate  all  instances  of  the  z>th  function  or  predicate  symbol.  Let  F*  =  Fm  denote  the  formula 
that  will  result  once  we  have  eliminated  all  applications  of  function  and  predicate  symbols  having 
nonzero  order. 


Theorem  2  For  EUF  formula  F,  the  transformation  process  described  above  yields  a  formula  F* 
such  that  F  is  universally  valid  if  and  only  if  F*  is  universally  valid. 


Proof:  This  theorem  follows  by  simply  inducting  on  the  number  of  function  and  predicate 
symbols  in  F  having  nonzero  order.  That  is,  for  any  interpretation  I  of  the  function  and  predicate 
symbols  of  F,  we  construct  a  sequence  of  interpretations  I  —  I0,  h, . . . ,  Im.  Each  interpretation 
Ii  is  generated  by  extending  its  predecessor  i  by  letting  J  =  /_]  and  /,  =  J  in  Lemma  4  or  a 
similar  one  for  predicate  applications.  The  effect  is  to  include  in  /,  interpretations  of  the  domain 
or  propositional  variables  introduced  when  eliminating  the  function  or  predicate  symbol.  We 
then  define  interpretation  I*  to  be  identical  to  Im  for  every  variable  appearing  in  F*.  By  induction, 
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we  have  /*[F*]  =  I[F].  If  F*  is  universally  valid,  we  have  I[F]  =  I*[F *]  =  true.  Since  this 
construction  can  be  performed  for  any  interpretation  I,  F  must  also  be  universally  valid. 

Conversely,  starting  with  an  interpretation  I*  of  the  domain  and  propositional  variables  of  F*, 
we  can  define  a  sequence  of  interpretations  I*  =  /m,  Im_u . . . ,  70,  using  the  construction  in  the 
proof  of  Lemma  5  (or  a  similar  one  for  predicate  applications)  to  generate  an  interpretation  of 
each  function  or  predicate  symbol  in  F.  We  then  define  interpretation  /  to  be  identical  to  70  for 
every  function  or  predicate  symbol  appearing  in  F.  By  induction,  we  have  I[F]  =  F[F*].  If  F  is 
universally  valid,  we  have  I*[F*]  =  I[F]  =  true.  Since  this  construction  can  be  performed  for 
any  interpretation  /*,  F*  must  also  be  universally  valid.  □ 


4.3  Assigning  Distinct  Values  to  Variables  Representing  P-Function  Appli¬ 
cations 

We  can  exploit  the  maximal  diversity  property  by  considering  only  interpretations  that  assign  dis¬ 
tinct  values  to  the  domain  variables  generated  when  replacing  p-function  applications  by  nested 
ITE  terms. 

For  example,  by  using  an  interpretation  /*  that  assigns  distinct  values  1,  2,  and  3  to  variables 
vf  i,  vf2,  and  vf3  in  Equation  2,  we  generate  distinct  values  for  the  terms  U\,  U2,  and  (/3,  except 
when  there  are  matches  between  the  arguments  x2,  and  x3.  On  the  other  hand,  our  encoding 
still  considers  the  possibility  that  the  arguments  to  the  different  applications  off  may  match  under 
some  interpretations,  in  which  case  the  function  results  should  match  as  well. 

To  show  this  formally,  consider  the  effect  of  replacing  all  instances  of  a  function  symbol  / 
in  a  formula  G  by  nested  ITE  terms,  as  described  earlier,  yielding  a  formula  G  with  new  domain 
variables  vf1,...,vfn.  We  first  show  that  when  we  generate  these  variables  while  eliminating 
p-function  applications,  we  can  assume  they  have  a  diverse  interpretation. 

Lemma  6  Let  E  be  a  subset  of  the  symbols  in  G,  and  let  G  be  the  result  of  eliminating  function 
symbol  f  from  G  by  introducing  new  domain  variables  vft, . . . ,  vfn.  If  f  <E  S,  then  for  any 
interpretation  J  that  is  diverse  for  G  with  respect  to  S,  there  is  an  interpretation  J  that  is  diverse 
for  G  with  respect  toY  —  {/}  U  {vfx, . . . ,  vf  n]  such  that  J[G ]  =  J[G). 

Proof:  Given  interpretation  J  defined  over  domain  V,  we  define  interpretation  j  over  a  domain 
V  =  T>  U  {zi, . . . ,  zn}.  Each  z,  is  a  unique  value,  i.e.,  z,  ^  zj  for  any  i  ±  j,  and  z,  ^  V. 

The  proof  of  this  lemma  is  based  on  a  refinement  of  the  proof  of  Lemma  4.  Whereas  the 
construction  in  the  earlier  proof  assigned  arbitrary  values  to  the  new  domain  variables  in  some 
cases,  we  select  an  assignment  that  is  diverse  in  these  variables.  As  in  the  construction  in  the  proof 
of  Lemma  4,  we  define  J  for  any  function  or  predicate  symbol  in  G  to  be  identical  to  that  of  J 
when  the  arguments  are  all  elements  of  V.  When  some  argument  is  not  in  V,  we  let  the  function 
(respectively,  predicate)  application  yield  an  arbitrary  domain  (resp.,  truth)  value. 
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For  domain  variable  vfi  introduced  when  generating  term  Ui,  we  consider  two  cases.  For  the 
case  where  lmj(i )  =  i,  we  define  J{vf  f)  =  J[Ti\,  i.e.,  the  value  of  the  /-application  term  in  G 
under  J.  For  the  case  where  lmj(i )  <  i,  we  define  ■)(  vf  f)  =  Z{.  We  saw  in  the  proof  of  Lemma 
4  that  we  could  assign  arbitrary  values  in  this  latter  case  and  still  have  j[G]  —  J[G].  In  fact,  for 
every  subexpression  E  of  G,  we  have  that  its  counterpart  E  in  G  satisfies  j[E]  =  J[E}. 

We  must  show  that  j  is  diverse  for  G  with  respect  to  E  -  {/}  U  vfn}.  We  first 

observe  that  J  is  identical  to  J  for  all  function  application  terms  in  G,  and  hence  J  must  be  diverse 
with  respect  to  E  for  G.  We  also  observe  that  J  assigns  to  each  variable  vfi  either  a  unique  value 
Zi  or  the  value  yielded  by  /-application  term  Tx  in  G  under  J. 

Suppose  there  were  distinct  variables  vft  and  vf  ■  such  that  J[vff\  -  J{vf  f\.  This  could  only 
occur  for  the  case  that  J(vff)  =  J[Tt)  =  J[Tf]  =  J{vf  f,  but  this  would  imply  that  lmj(i)  = 
We  cannot  have  both  lmj{i )  =  i  and  Im  j(j)  =  j,  and  hence  either  vf  t  or  vf]  would  have 

been  assigned  unique  value  z;  or  z},  respectively.  Thus,  we  can  conclude  that  J[vf{]  #  Avfj]  for 
distinct  variables  vf{  and  vf  r 

In  addition,  we  must  show  that  interpretation  J  does  not  create  any  matches  between  a  new 
variable  vft  and  a  function  application  term  T  in  G  that  does  not  have  /  as  the  topmost  function 
symbol.  Since  J  is  diverse  with  respect  to  E  for  G  and  /  6  E,  any  function  application  term  T 
in  G  that  does  not  have  function  symbol  /  as  its  topmost  symbol  must  have  J[T]  ^  J[T;]  for  all 
1  <  *  <  n.  In  addition,  we  have  J[T]  ±  zx  for  all  1  <  i  <  n.  Hence,  we  must  have  J[T]  ^  J(vft). 
□ 


We  must  also  show  that  the  variables  introduced  when  eliminating  g-function  applications  do 
not  adversely  affect  the  diversity  of  the  other  symbols. 

Lemma  7  Let  E  be  a  subset  of  the  symbols  in  G,  and  let  G  be  the  result  of  eliminating  function 
symbol  f  from  G  by  introducing  new  domain  variables  i vfn.  Iff  ^  E,  then  for  any 
interpretation  J  that  is  diverse  for  G  with  respect  to  E,  there  is  an  interpretation  J  that  is  diverse 
for  G  with  respect  to  E  such  that  J[G\  =  J[G\. 

Proof:  The  proof  of  this  lemma  is  based  on  a  refinement  of  the  proof  of  Lemma  4.  Whereas  the 
construction  in  the  earlier  proof  assigned  arbitrary  values  to  some  of  the  new  domain  variables,  we 
select  an  assignment  such  that  we  do  not  inadvertently  violate  the  diversity  of  the  other  function 
symbols. 

We  define  J  to  be  identical  to  J  for  any  symbol  occurring  in  G.  For  each  domain  variable  vf  i 
introduced  when  generating  term  Ui,  we  define  J(  vff)  =  J[Tf\.  This  differs  from  the  interpretation 
defined  in  the  proof  of  Lemma  4  only  in  that  give  fixed  interpretations  of  domain  variables  that 
could  otherwise  be  arbitrary,  and  hence  we  have  have  J[G]  =  J[G].  In  fact,  for  every  subexpres¬ 
sion  E  of  G,  we  have  that  its  counterpart  E  in  G  satisfies  J[E]  =  J[E}. 

We  must  show  that  j  is  diverse  for  G  with  respect  to  E.  We  first  observe  that  J  is  identical 
to  J  for  all  function  application  terms  in  G,  and  hence  J  must  be  diverse  for  G  with  respect  to 
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E.  We  also  observe  that  J  assigns  to  each  variable  ufi  the  value  of  /-application  term  J).  For 
term  T  having  the  application  of  function  symbol  g  €  E  as  the  topmost  operation,  we  must  have 
J[T]  =  J[T]  ^  J[Ti\  =  ./[?/,].  Hence,  we  are  assured  that  the  values  assigned  to  the  new  variables 
under  J  do  not  violate  the  diversity  of  the  interpretations  of  the  symbols  in  E.  □ 

Suppose  we  apply  the  transformation  process  of  Theorem  2  to  a  p-formula  F  to  generate  a 
formula  F*,  and  that  in  this  process,  we  introduce  a  set  of  new  domain  variables  V  to  replace  the 
applications  of  the  p-function  symbols.  Let  E*(F)  be  the  union  of  the  set  of  domain  variables  in 
E  P(F)  and  V.  That  is,  E  *{F)  consists  of  those  domain  variables  in  the  original  formula  F  that  were 
p-function  symbols  as  well  as  the  domain  variables  generated  when  replacing  applications  of  p- 
function  symbols.  Let  E*(F)  be  the  domain  variables  in  F*  that  are  notin  E  *(F).  These  variables 
were  either  g-function  symbols  in  F  or  were  generated  when  replacing  g-function  applications. 

We  observe  that  we  can  generate  all  maximally  diverse  interpretations  of  F  by  considering 
only  interpretations  of  the  variables  in  F*  that  assign  distinct  values  to  the  variables  in  E*(F): 

Theorem  3  PEUF formula  F  is  universally  valid  if  and  only  if  its  translation  F*  is  true  for  every 
interpretation  I*  that  is  diverse  over  S *(F). 

Proof:  By  Theorem  2,  the  universal  validity  of  F  implies  that  of  F*.  The  theorem  follows 
by  inducting  on  the  number  of  function  and  predicate  symbols  in  F  having  nonzero  order.  For 
the  induction  step  we  use  Lemma  6  when  eliminating  all  applications  of  a  p-function  symbol,  and 
Lemma  7  when  eliminating  all  applications  of  a  g-function  symbol.  When  eliminating  a  predicate 
symbol,  we  do  not  introduce  any  new  domain  variables.  □ 


4.3.1  Discussion 

Ackermann  also  describes  a  scheme  for  replacing  function  application  terms  by  domain  variables 
[Ack54],  His  scheme  simply  replaces  each  instance  of  a  function  application  by  a  newly-generated 
domain  variable  and  then  introduces  constraints  expressing  functional  consistency  as  antecedents 
to  the  modified  formula.  As  an  illustration,  Figure  6  shows  the  result  of  applying  his  method  to 
formula  Feg  of  Equation  1.  First,  we  replace  the  three  applications  of  function  symbol  g  with  new 
domain  variables  vgx,  vg2,  and  vg3.  To  maintain  functional  consistency  we  add  constraints 

(x~y  =>  vgt  =  vg2)  A  (x  =  vg1  vgx  =  vg3)  A  (y=vgl  =*>  vg2  =  vg3 ) 

as  an  antecedent  to  the  modified  formula.  The  result  is  shown  in  the  middle  of  Figure  6,  using 
Boolean  connectives  A,  V,  and  ->  rather  them  =>.  In  this  diagram,  the  three  constraints  listed  above 
form  the  middle  three  arguments  of  the  final  disjunction.  A  similar  process  is  used  to  replace  the 
applications  of  function  symbol  h,  adding  a  fourth  constraint  vgx  =  vg2  A  vg3  =  vg3  =>  vh\  =  vh2- 
The  result  is  shown  at  the  bottom  of  Figure  6. 

There  is  no  clear  way  to  exploit  the  maximal  diversity  with  this  translated  form.  For  example, 
if  we  consider  only  diverse  interpretations  of  variables  vg1,  vg2,  and  vg3,  we  will  fail  to  consider 
interpretations  of  the  original  formula  for  which  x  equals  y. 
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Initial  formula: 


x  y  vg2vgz 

After  removing  applications  of  function  symbol  h: 


Figure  6:  Ackermann’s  Method  for  Replacing  Function  Applications  in  Feg. 
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4.4  Using  Fixed  Interpretations  of  the  Variables  in  S *(F) 

We  can  further  simplify  the  task  of  determining  universal  validity  by  choosing  particular  domains 
of  sufficient  size  and  assigning  fixed  interpretations  to  the  variables  in  E*(F).  The  next  result 
follows  from  Theorem  3. 

Corollary  1  Let  Vp  and  T>g  be  disjoint  subsets  of  domain  V  such  that  \T>P\  >  |E*(F)|  and  \Vg\  > 
|E;(F)|.  Let  a  be  any  1-1  mapping  a:  S*(F)  — >  Vp.  PEUF  formula  F  is  universally  valid  if 
and  only  if  its  translation  F *  is  true  for  every  interpretation  F  such  that  I*(vp)  =  a(vp)  for  every 
variable  vp  €  S*(F),  andl*(vg)  €  T>g  for  every  variable  vg  €  E*(F). 

Proof:  Consider  any  interpretation  J*  of  the  variables  in  E*(F)  U  E*(F)  that  is  diverse  over 
£*(F).  We  show  that  we  can  construct  an  isomorphic  interpretation  I*  that  satisfies  the  restrictions 
of  the  corollary. 

Let  V'p  (respectively,  V'g )  be  the  range  of  J *  considering  only  variables  in  £*  ( F )  (resp. ,  E  *  ( F ) ) . 
The  function  J *:  E *(F)  — *•  V'p  must  be  a  bijection  and  hence  have  an  inverse  J*-1 :  V'p  ->  S*(F). 
Furthermore,  we  must  have  \D'g |  <  |E*(F)|  <  \Vg\.  Let  op  be  the  1-1  mapping  crp:Vp  -»■  Vp 
defined  for  any  z  in  V'p,  as  crp(z)  =  a(  J*-1  (2)).  Let  og  be  an  arbitrary  1-1  mapping  ag:  V'g  — >  Vg. 
We  now  define  I*  such  that  for  any  variable  v  in  S*(F)  (respectively,  E*(F))  we  have  I*(v)  equal 
to  crp(J*(v))  (resp.,  og(J*(v))).  Finally,  for  any  propositional  variable  a,  we  let  I*  {a)  equal  J*(a). 

For  any  EUF  formula,  isomorphic  interpretations  will  always  yield  identical  valuations,  giving 
I*[F*]  =  J*[F*].  Hence  the  set  of  interpretations  satisfying  the  restrictions  of  the  corollary  form 
a  sufficient  set  to  prove  the  universal  validity  of  F*.  □ 


5  Reductions  to  Propositional  Logic 

We  present  two  different  methods  of  translating  a  PEUF  formula  into  a  propositional  formula 
that  is  tautological  if  and  only  if  the  original  formula  is  universally  valid.  Both  use  the  function 
and  predicate  elimination  method  described  in  the  previous  section  so  that  the  translation  can  be 
applied  to  a  formula  F*  containing  only  domain  and  predicate  variables.  In  addition,  we  assume 
that  a  subset  of  the  domain  variables  E*(F)  has  been  identified  such  that  we  only  need  to  encode 
interpretations  that  are  diverse  over  these  variables. 


5.1  Translation  Based  on  Bit  Vector  Interpretations 

A  formula  such  as  F*  containing  only  domain  and  propositional  variables  can  readily  be  translated 
into  one  in  propositional  logic,  using  the  set  of  bit  vectors  of  some  length  k  greater  than  or  equal 
to  log2  m  as  the  domain  of  interpretation  for  a  formula  containing  m  domain  variables  [VB98]. 
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Domain  variables  are  represented  with  vectors  of  propositional  variables.  In  this  formulation,  we 
represent  a  domain  variable  as  a  vector  of  propositional  variables,  where  truth  value  false  encodes 
bit  value  0,  and  truth  value  true  encodes  bit  value  1.  In  [VB98]  we  described  an  encoding  scheme 
in  which  the  ?th  domain  variable  is  encoded  as  a  bit  vector  of  the  form  (0, . . . ,  0,  a^k- 1 , . . . ,  a,i0) 
where  k  =  [log2  i\,  and  each  a,j  is  a  propositional  variable.  This  scheme  can  be  viewed  as 
encoding  interpretations  of  the  domain  variables  over  the  integers  where  the  ith  domain  variable 
ranges  over  the  set  —  1}  [PRSS99].  That  is,  it  may  equal  any  of  its  predecessors,  or  it 

may  be  distinct. 

We  then  recursively  translate  F*  using  vectors  of  propositional  formulas  to  represent  terms. 
By  this  means  we  then  reduce  F*  to  a  propositional  formula  that  is  tautological  if  and  only  if  F*, 
and  consequently  the  original  EUF  formula  F,  is  universally  valid. 

We  can  exploit  positive  equality  by  using  fixed  bit  vectors,  rather  than  vectors  of  propositional 
variables  when  encoding  variables  in  E*(F).  Furthermore,  we  can  construct  our  bit  encodings 
such  that  the  vectors  encoding  variables  in  E*  (F)  never  match  the  bit  patterns  encoding  variables 
in  S*(F).  As  an  illustration,  consider  formula  Feg  given  by  Equation  1  translated  into  formula  F* 
as  diagrammed  at  the  bottom  of  Figure  4.  We  need  only  encode  interpretations  of  the  variables  x, 
y,  vgx,  vg2,  vg3,  vhu  and  vh2  that  are  diverse  respect  to  the  last  five  variables.  Therefore,  we  can 
assign  3-bit  encodings  to  the  seven  variables  as  follows: 


X 

(0,0,0) 

y 

(0, 0,  aito) 

vgi 

(0,1,0) 

vg2 

(0,1,1) 

vg3 

(1,0,0) 

vhi 

(1,0,1) 

vh2 

(1,1,0) 

where  «ii0  is  a  propositional  variable.  This  encoding  uses  the  same  scheme  as  [VB98]  for  the 
variables  in  E*(F)  but  uses  fixed  bit  patterns  for  the  variables  in  E*(F).  As  a  consequence,  we 
require  just  a  single  propositional  variable  to  encode  formula  F*g. 

As  a  further  refinement,  we  could  apply  methods  devised  by  Pnueli  et  al.  to  reduce  the  size  of 
the  domains  associated  with  each  variable  in  E*(F)  [PRSS99].  This  will  in  turn  allow  us  to  reduce 
the  number  of  propositional  variables  required  to  encode  each  domain  variable  in  E*(F). 


5.2  Translation  Based  on  Pairwise  Encodings  of  Term  Equality 

Goel  et  al.  [GSZAS98]  describe  a  method  for  generating  a  propositional  formula  from  an  EUF 
formula,  such  that  the  propositional  formula  will  be  a  tautology  if  and  only  if  the  EUF  formula  is 
universally  valid.  They  first  use  Ackermann’s  method  to  eliminate  function  applications  of  nonzero 
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order  [Ack54].  Then  they  introduce  a  propositional  variable  e,-j  for  each  pair  of  domain  variables 
Vi  and  Vj  encoding  the  conditions  under  which  the  two  variables  have  matching  values.  Finally, 
they  generate  a  propositional  formula  in  terms  of  the  et- j  variables. 

The  propositional  formula  they  generate  does  not  enforce  constraints  among  the  etj  variables 
due  to  the  transitivity  of  equality,  i.e.,  constraints  of  the  form  e,  j  A  ehk  =A  e,-,*.  As  a  result,  in 
attempting  to  prove  the  formula  is  a  tautology,  they  may  generate  false  “counterexamples.”  They 
express  the  set  of  potential  counterexamples  as  a  BDD  and  then  systematically  eliminate  those  that 
contain  transitivity  violations. 

We  provide  a  modified  formulation  of  their  approach  that  exploits  the  properties  of  p-formulas 
to  encode  only  valuations  under  maximally  diverse  interpretations.  As  a  consequence,  we  require 
et  j  variables  only  to  express  equality  among  those  domain  variables  that  represent  g-term  values 
in  the  original  formula. 

We  describe  a  method  of  expressing  the  transitivity  constraints  in  our  formulas  that  exploits  the 
sparse  structure  of  the  variables.  In  practice,  we  have  actually  found  that  our  processor  models 
can  be  verified  without  enforcing  any  transitivity  constraints.  Apparently  the  transitivity  conditions 
that  caused  problems  for  Goel  et  al.  correspond  to  p-terms  in  our  verifications  and  hence  do  not 
require  any  propositional  variables. 


5.2.1  Construction  of  Propositional  Formula 


Starting  with  p-formula  F,  we  apply  our  method  of  eliminating  function  applications  to  give  a 
formula  F*  containing  only  domain  and  propositional  variables.  The  domain  variables  in  F*  are 
partitioned  into  sets  E*(F),  corresponding  to  p-function  applications  in  F,  and  E*(F)  correspond¬ 
ing  to  g-function  applications  in  F.  Let  us  identify  the  variables  in  S*(F)  as  {t>i, . . . ,  wyv},  and  the 
variables  in  S*(F)  as  {vjv+i  u/v+m}*  We  need  only  encode  interpretations  that  are  diverse  in 
this  latter  set  of  variables. 

For  values  of  i  and  j  such  that  1  <  i  <  j  <  N,  define  propositional  variables  etj  encoding 
the  equality  relation  between  variables  vt  and  vj.  We  require  these  propositional  variables  only 
for  indices  less  than  or  equal  to  N.  Higher  indices  correspond  to  variables  in  E*(F),  and  we  can 
assume  for  any  such  variable  V{  that  it  will  equal  variable  vj  only  when  i  =  j. 

For  each  term  T  in  F*,  and  each  vt  with  1  <  i  <  N  4-  M,  we  generate  formulas  of  the  form 
enctz(T)  for  1  <  i  <  N  +  M  to  encode  the  conditions  under  which  the  control  formulas  in  the 
ITEs  in  term  T  will  be  set  so  that  value  of  T  becomes  that  of  domain  variable  vt.  In  addition,  for 
each  formula  G  we  define  a  propositional  formula  encf(G)  giving  the  encoded  form  of  G.  These 
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formulas  are  defined  by  mutual  recursion.  The  base  cases  are: 

enc/(true)  =  true 

enc/(false)  =  false 

encf(a)  =  a,  a  is  a  propositional  variable 

encti(vi )  =  true 

enctj(vi )  =  false,  Fori/j 

For  the  logical  connectives,  we  define  encf  in  the  obvious  way: 

encf(~>Gi)  =  ~'encf  (G\) 
encf(Gi  A  G2)  =  encf(G\ )  A  encf(G2) 
encf(Gi  V  G2)  =  encf{G\)  V  encf(G2) 

For  ITE  terms,  we  define  end  as: 

encti(ITE(G,Ti,T2))  =  encf(G)  A  encti(Tx)  V  -'encf(G)  A  endi(T2 ) 

For  equations,  we  define  encf(Tx  =  T2)  to  be 

encf[Ti=T2 )  =  Y  enctfTi)  A  e[,j]  A  enctj(T2)  V  Y  enc^-(Ti)  A  encti(T2) 
l<i,j<N  N+l<i<N+M 

(6) 

where  e^j]  is  defined  for  1  <  i,j  <  N  as: 

{true  i  =  j 

ei,j  i  <  j 
ej,i  i  >  j 

Informally,  Equation  6  expresses  the  property  that  there  are  two  ways  for  a  pair  of  terms  to  be 
equal  in  an  interpretation.  The  first  way  is  if  the  two  terms  evaluate  to  the  same  variable,  i.e., 
we  have  both  enctfTi)  and  enctfT2)  hold  for  some  variable  V{.  For  1  <  i  <  N,  the  left  hand 
part  of  Equation  6  will  hold  since  e^j  =  true.  For  N  +  1  <  i  <  N,  the  right  hand  part  of 
Equation  6  will  hold.  The  second  way  is  that  two  terms  will  be  equal  under  some  interpretation 
when  they  evaluate  to  two  different  variables  vz  and  v3  that  have  the  same  value.  In  this  case  we 
will  have  end ;{T\ ),  end 3(To) ,  and  j]  hold,  where  1  <  i ,  j  <  N.  Observe  that  Equation  6 
encodes  only  interpretations  that  are  diverse  over  {ujv+i,  . . . ,  1 ’n+m}-  It  makes  use  of  the  fact  that 
when  N  +  l<i<N  +  M,  variable  vt  will  only  equal  variable  v3  only  if  i  =  j. 

As  an  example,  Figure  7  shows  an  encoding  of  formula  F*  given  in  Figure  4,  which  was 
derived  from  the  original  formula  F  shown  in  Figure  3.  The  variables  in  £*(F*)  are  x  and  y. 
These  are  renamed  as  vx  and  v2,  giving  N  =  2.  The  variables  in  F,*(F*)  are  vg1,  vg2,  vg3,  vhx,  and 
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Figure  7:  Encoding  Example  Formula  in  Propositional  Logic.  Each  term  T  is  represented  as  a  list 
giving  the  non-false  values  of  enc^(T). 


vh2.  These  are  relabeled  as  v3  through  vT,  giving  M  =  5.  Each  formula  in  the  figure  is  annotated 
by  a  (simplified)  propositional  formula,  while  each  term  T  is  annotated  by  a  list  with  entries  of  the 
form  i:  encti(T),  for  those  entries  such  that  encti(T)  ^  false.  We  use  the  shorthand  notation  “T” 
for  true  and  “F”  for  false.  Our  encoding  introduces  a  single  propositional  variable  elr2.  It  can 
be  seen  that  our  method  encodes  only  the  interpretations  for  F*  labeled  as  D1  and  D2  in  Table  2. 
When  ei  2  is  false,  we  encode  interpretation  D2,  in  which  x  ^  y  and  every  function  application 
term  yields  a  distinct  value.  When  eh2  is  true,  we  encode  interpretation  Dl,  in  which  x  —  y  and 
hence  we  have  g(x)  =  g(y )  and  h(g(x),g{g{x)))  =  h(g(y),g(g(y))). 

In  general,  the  final  result  of  the  recursive  translation  will  be  a  propositional  formula  encf( F*). 
The  variables  in  this  formula  consist  of  the  propositional  variables  that  occur  in  F*  as  well  as 
a  subset  of  the  variables  of  the  form  e,-j.  Nothing  in  this  formula  enforces  the  transitivity  of 
equality.  We  will  discuss  in  the  next  section  how  to  impose  transitivity  constraints  in  a  way  that 
exploits  the  sparse  structure  of  the  equations.  Other  than  transitivity,  we  claim  that  the  translation 
encf  (F*)  captures  validity  of  F*,  and  consequently  the  original  p-formulaF.  For  an  interpretation 
J  over  a  set  of  propositional  variables,  including  variables  of  the  form  e,- j  for  1  <  i  <  j  <  N, 
we  say  that  J  obeys  transitivity  when  for  all  i,  j,  and  k  such  that  1  <  i,j,k  <  N  we  have 

Ae[i,j]\  A  J[e\j,k]]  =» 

To  formalize  the  intuition  behind  the  encoding,  let  I*  be  an  interpretation  of  the  variables  in 
the  translated  formula  F*.  For  interpretation  /*,  define  sel j-(T)  to  be  a  function  mapping  each 
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term  T  in  F*  to  the  index  of  the  unique  domain  variable  selected  by  the  values  of  the  ITE  control 
formulas  in  T.  That  is,  sel^Vi)  =  i,  while  selI*(ITE(G,TuT2 ))  is  defined  as  sel /.(Tj)  when 
I*[G]  =  true  and  as  se//.(T2)  when  I*[G]  —  false. 

Proposition  2  For  all  interpretations  I*  of  the  variables  in  F*  and  any  term  T  occurring  in  F*,  if 
seli*(T)  =  i,  then  I*[T]  —  I*(vi). 

Lemma  8  For  any  interpretation  I*  of  the  variables  in  F*  that  is  diverse  for  E  1(F),  there  is  an 
interpretation  J  of  the  variables  in  encf(F*)  that  obeys  transitivity  and  such  that  J[encf(  F*)]  = 

/w 

Proof:  For  each  propositional  variable  a  occurring  in  F*,  we  define  J(ct )  =  I*(a).  For  each 
pair  of  variables  vt  and  v3  such  that  1  <  i  <  j  <  N,  we  define  J(eitj )  to  be  true  iff  F(vt)  = 
F(vj).  We  can  see  that  J  must  obey  transitivity,  because  it  is  defined  in  terms  of  a  transitive 
relation  in  I*. 

We  prove  the  following  hypothesis  by  induction  on  the  expression  depths: 

1.  For  every  formula  G  in  F*:  J[encf(G )]  =  I*[G]. 

2.  For  every  term  T  in  F*  and  all  i  such  that  1  <  i  <  N  +  M:  J[encti(T )]  =  true  iff 

se/j*(T)  =  i. 


The  base  cases  hold  as  follows: 

1.  Formulas  of  the  form  true,  false,  and  a  have  encf(G)  =  G  and  J[G]  =  I*[G]. 

2.  Termuj  has  J[encti(vj )]  =  true  iff  j  =  i,  and  seli*(vj )  =  i  iff  j  =  i. 

Assuming  the  induction  hypothesis  holds  for  formulas  G'i  and  G2,  one  can  readily  see  that  it 
will  hold  for  formulas  --Gi,  Gi  A  G2,  and  Gx  V  G'2,  by  the  definition  of  encf 

Assuming  the  induction  hypothesis  holds  for  formula  G  and  for  terms  7\  and  T2,  consider  term 
T  of  the  form  ITE(G:  7\,  T2).  For  the  case  where  I*[G]  =  true,  we  have  I*[T]  =  I*[Ti],  and  also 
sdj*(T )  =  se//.(Ti).  The  induction  hypotheses  for  Ti  gives  J[encti{Ti))  =  true  iff  se//.(Ti)  = 
i.  The  induction  hypothesis  for  G  gives  J[encf(G )]  =  I*[G]  =  true,  and  hence  J[encti(T )]  = 
J[encti(Ti)].  From  all  this,  we  can  conclude  that  J[encti(T )]  =  true  iff  seh*(T)  =  i.  A  similar 
argument  holds  when  I*[G]  =  false,  but  based  on  the  induction  hypothesis  for  T2. 

Finally,  assuming  the  induction  hypothesis  holds  for  terms  F'i  and  T2,  consider  the  equation 
T\  =  T2.  Suppose  that  se/j»(Ti)  =  i  and  se//*(T2)  =  j.  Our  induction  hypothesis  for  Ti  and  T2 
give  J[encti(Ti )]  =  J[enctj(T2 )]  =  true.  Suppose  either  i  >  N  or  j  >  N.  Then  we  will  have 
F(vi)  =  I*(vj)  iff  i  —  j.  In  addition,  the  right  hand  part  of  Equation  6  will  hold  under  J  iff  i  =j. 
Otherwise,  suppose  that  1  <  i,j  <  N.  We  will  have  I*(vt)  =  I*{vf)  iff  =  true.  In 

addition,  the  left  hand  part  of  Equation  6  will  hold  under  J  iff  ./[e^j]  =  true  □ 
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Figure  8:  Case  Analysis  for  Part  3b  of  Proof  of  Lemma  9.  Solid  lines  denote  equalities,  while 
dashed  lines  denote  inequalities. 

Lemma  9  For  every  interpretation  J  of  the  variables  in  encf(F*)  that  obeys  transitivity,  there  is 
an  interpretation  I*  of  the  variables  in  F*  such  that  7[F*]  =  J[encf(F*)]. 

Proof:  We  define  interpretation  7*  over  the  domain  of  integers  {1, . . . ,  N  +  M}.  For  proposi¬ 
tional  variable  a,  we  define  I*(a)  —  J  (a).  For  1  <  j  <  N  we  let  I*(vj)  be  the  minimum  value  of  i 
such  that  J[e[ij]\  =  true.  For  N  <  j  <  N  +  M  we  let  I*{vj)  =  j.  Observe  that  this  interpretation 
gives  I*(vj)  <  j  for  all  j  <  N,  since  eyj]  =  true,  and  I*(vj)  =  j  for  j  >  N. 

We  claim  that  for  i  <  N,  if  I*(vj)  =  i,  then  we  must  have  I*(vt)  =  i  as  well.  If  instead  we 
had  I*(vi )  =  k  <  i,  then  we  must  have  J[ey;A]\  =  true.  Combining  this  with  J[e[t  j]]  =  true,  the 
transitivity  requirement  would  give  ./[e^.jj]  =  true,  but  this  would  imply  that  I*(vj)  =  k  f  i. 

We  prove  the  following  hypothesis  by  induction  on  the  expression  depths: 

1.  For  every  formula  G  in  F*:  7*[G']  =  J[encf(G )]. 

2.  For  every  term  T  in  F*  and  all  i  such  that  1  <  i  <  N  +  M:  sel /*  (T)  =  i  iff  J[encti(T )]  = 
true. 

The  base  cases  hold  as  follows: 

1.  Formulas  of  the  form  true,  false,  and  a  have  G  =  encf(G)  and  I*[G]  =  J[G\. 

2.  Term  vj  has  seli-(vj)  =  i  iff  j  =  i  and  J[encti(vj)\  =  true  iff  j  =  i. 

Assuming  the  induction  hypothesis  holds  for  formula  G  and  for  terms  7\  and  T2,  consider  term 
T  of  the  form  ITE(G ,  Ti,  Tf).  For  the  case  where  J[encf(G )]  =  true,  we  have  J[encti(T)\  =' 
J[encti(Ti)].  The  induction  hypothesis  for  T\  gives  sel /*(7i)  =  i  iff  J[encf,(Fi)]  =  true.  The 
induction  hypothesis  for  G  gives  I*[G]  =  J[encf(G )]  =  true,  giving  F[T]  =  7*[Fi],  and  also 
se//.(F)  =  se//.(Ti).  Combining  all  his  gives  se//.(F)  =  i  iff  J[encti{T )]  =  true.  A  similar 
argument  can  be  made  when  J[encf  (G)}  =  false,  but  based  on  the  induction  hypothesis  for  T2. 

Finally,  assuming  the  induction  hypothesis  holds  for  terms  Ti  and  T2,  consider  the  equation 

T\  =  T2.  Let  i  =  se//.(Ti)  and  j  =  seli*(T2).  In  addition,  let  k  —  I*(vi )  and  l  =  I*(vj).  Our 
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induction  hypothesis  gives  J\encti(T\ )]  =  true,  and  J[enct  j{T2)\  =  true.  Proposition  2  gives 
I*[Ti]  =  A;  and  /*[T2]  =  /.  By  our  earlier  argument,  we  must  also  have  I*(vk)  —  k  and  I*(vt)  =  l. 
We  consider  different  cases  for  the  values  of  i,  j,  k,  and  l . 

1.  Suppose  i  >  N.  Then  we  must  have  k  =  I*(vi )  =  i.  Equation  Tx  =  T2  will  hold  under  I* 
iff  I*(vj )  —  l  =  k,  and  this  will  hold  iff  j  —  l  =  k  =  i.  In  addition,  the  right  hand  part  of 
Equation  6  will  hold  under  J  iff  i  =  j. 

2.  Suppose  j  >  N.  By  an  argument  similar  to  the  previous  one,  we  will  have  equation  Tx  =  T2 
holding  under  interpretation  I*  and  Equation  6  holding  under  interpretation  J  iff  i  =  j. 

3.  Suppose  1  <  i,j  <  N.  Since  /*(«,-)  =  k  =  I*(vk)  we  must  have  J[e[ktq]  =  true.  Similarly, 
since  I*(vj)  =  l  =  I*(vi )  we  must  have  J[e[/jj]  =  true. 

(a)  Suppose  k  =  l,  and  hence  Tx  =  T2  holds  under  I*.  Then  we  have  J[e[i,k]\  =  J[e[k,j]}  = 

true.  Our  transitivity  requirement  then  gives  =  true,  and  hence  the  left  hand 

part  of  Equation  6  will  hold  under  J. 

(b)  Suppose  k  ^  /,  and  hence  7i  =  T2  does  not  hold  under  I*.  We  must  have  = 

false.  This  condition  is  illustrated  in  the  left  hand  diagram  of  Figure  8.  In  this  figure 
we  use  solid  lines  to  denote  equalities  and  dashed  lines  to  denote  inequalities.  We  argue 
that  we  must  also  have  =  false  by  the  following  case  analysis  for  e^jj: 

i.  For  J[e[kj]\  =  true,  we  get  the  case  diagrammed  in  the  middle  of  Figure  8  where 
the  diagonal  line  creates  a  triangle  with  just  one  dashed  line  (inequality).  This 
represents  a  violation  of  our  transitivity  requirement,  since  it  indicates  J[e[fcjj]  = 
J[e[j,/]]  =  true,  but  J[e[k,t\]  =  false. 

ii.  For  J[e[k,j]]  =  false  and  J[e[tjj]  =  true,  we  have  the  case  diagrammed  on  the 
right  side  of  Figure  8.  Again  we  have  a  triangle  with  just  one  dashed  line  indicating 
a  violation  of  our  transitivity  requirement,  with  J[e[kiq]  =  J[e[tj]}  =  true,  but 
^[e[*J]]  -  false. 

With  J[e[itj]\  =  false,  Equation  6  will  not  hold  under  J. 

From  this  case  analysis  we  see  that  Tx  =  T2  holds  under  /*  iff  Equation  6  holds  under  J.  □ 


5.2.2  Transitivity  Constraints 

We  may  need  to  constrain  our  top  level  formula  to  only  consider  interpretations  of  the  variables 
of  the  form  e,  j  that  preserve  the  transitivity  of  equality.  For  example,  if  we  have  variables  elt2, 
e2j3,  and  eii3,  we  want  to  avoid  interpretations  that  assign  values  true  to  two  of  these  variables, 
but  false  to  the  third.  On  the  other  hand,  there  is  no  need  add  transitivity  constraints  for  cases 
where  the  equality  of  two  subexpressions  has  no  bearing  on  the  truth  of  our  top-level  formula. 
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Red  Chord 


Black  Chord 


Figure  9:  Case  Analysis  for  Proof  of  Lemma  10.  Solid  lines  denote  black  edges  (equalities),  while 
dashed  lines  denote  red  edges  (inequalities). 


We  therefore  propose  a  method  of  enforcing  transitivity  that  exploits  the  sparse  structure  of  the 
equality  comparisons.  We  view  this  task  as  one  of  generating  a  set  of  constraints  Trans,  where 
each  constraint  is  a  formula  over  the  variables.  Our  final  verification  condition  is  then  expressed 

as  the  formula  [Ace  rran,  G]  =*  encf(F*). 

Let  X  denote  the  set  of  all  variables  of  the  form  eitJ  occurring  in  encf(F*).  Create  an  undi¬ 
rected  graph  having  a  vertex  for  every  i  such  that  1  <  i  <  N,  and  an  edge  (i,  j)  for  every  variable 
of  the  form  ett3  in  X.  For  an  interpretation  J  of  the  variables  in  A",  color  edge  (i,j)  red  when 
J(xhj)  is  false  and  color  it  black  when  J(xij)  is  true.  One  can  see  that  this  interpretation  will 
violate  transitivity  if  and  only  if  there  is  some  cycle  in  the  graph  containing  exactly  one  red  edge. 
This  generalizes  the  case  for  triangles  we  saw  in  Figure  8,  where  red  edges  are  denoted  with  dashed 
lines.  We  must  add  constraints  to  Trans  that  eliminate  such  interpretations. 

Rather  than  enumerating  all  of  the  cycles  in  the  graph,  we  augment  the  set  X  with  additional 
variables  of  the  form  et  J  such  that  the  resulting  graph  becomes  chordal.  [Rose70].  That  is,  the 
graph  has  the  property  that  for  every  cycle  of  length  greater  than  3,  there  is  an  edge  (called  a  chord 
of  the  cycle)  connecting  two  vertices  that  are  not  adjacent  in  the  cycle.  Such  graphs  have  been 
studied  extensively  in  the  context  of  sparse  Gaussian  elimination.  In  fact,  the  problem  of  finding 
a  minimum  set  of  additional  variables  to  add  to  our  set  is  identical  to  the  problem  of  finding  an 
elimination  ordering  for  Gaussian  elimination  that  minimizes  the  amount  of  fill-in.  Although  this 
problem  is  NP-complete  [Yan81],  there  are  good  heuristic  solutions. 

Lemma  10  If  a  chordal  graph  contains  no  triangle  having  exactly  one  red  edge,  then  it  contains 
no  cycles  containing  exactly  one  red  edge. 

Proof:  The  proof  proceeds  by  induction  on  the  cycle  length,  with  cycles  of  length  3  forming  the 
trivial  base  case.  Assume  some  cycle  C  of  length  k  greater  than  3  contains  exactly  one  red  edge, 
but  no  smaller  cycles  have  this  property.  Cycle  C  must  have  a  chord  splitting  it  into  two  cycles  C\ 
and  C2,  both  of  which  are  smaller  than  k,  and  both  containing  the  chord.  Assume  without  loss  of 
generality  that  the  red  edge  of  C  is  in  C\ .  Consider  the  two  cases  illustrated  in  Figure  9.  If  the 
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chord  is  colored  red  (left),  this  would  be  the  only  red  edge  in  cycle  C2.  If  the  chord  is  colored  black 
(right),  then  cycle  C\  would  contain  the  only  red  edge  that  occurs  in  C.  In  either  case,  we  have 
found  a  cycle  of  length  less  than  k  containing  exactly  one  red  edge,  contradicting  our  assumption 
about  C.  □ 

Assume  this  augmentation  yields  a  set  of  variables  X' .  Then  for  every  value  of  i,  j,  and  k, 
such  that  i  <  j  and  j  <  k,  and  such  that  there  are  variables  e,-j,  e,-,*,  and  ehk  in  X',  we  add  three 
transitivity  constraints  to  Trans:  eitj  A  ehk  =4>  ehk,  ehk  A  ej<k  =»  eitj,  and  eitj  A  eijk  =>  ehk.  These 
constraints  guarantee  that  any  interpretation  of  the  variables  in  X'  gives  an  edge  coloring  that  has 
no  cycle  of  length  3  containing  exactly  one  red  edge.  By  Lemma  10  this  property  guarantees  that 
no  larger  cycle  can  have  exactly  one  red  edge,  either,  and  hence  the  interpretation  must  satisfy 
transitivity. 

Theorem  4  P-formula  F  is  universally  valid  iff  the  propositional  formula  [f\G€TransG]  =>  encf(F*) 
is  a  tautology. 

Proof:  This  theorem  follows  directly  from  Lemmas  6, 7,  and  10.  □ 

As  mentioned  earlier,  we  have  found  in  practice  that  we  can  verify  our  microprocessor  designs 
without  enforcing  any  transitivity  constraints.  The  soundness  of  this  optimization  can  be  expressed 
as  follows: 

Corollary  2  If  propositional  formula  [Ag<=  Trans'  G]  =>  encf(F*)  is  a  tautology  for  some  Trans'  C 
Trans,  then  p-formula  F  is  universally  valid. 

5.2.3  Discussion 

In  the  formulation  by  Goel  et  al.,  a  propositional  variable  would  be  required  for  every  pair  of 
function  applications  occurring  in  the  original  formula.  In  our  case,  we  need  only  introduce  these 
variables  for  a  subset  of  the  pairs  of  g-function  applications.  For  example,  their  method  would 
require  8  variables  to  encode  the  transformed  version  of  formula  Feg  shown  in  Figure  6,  whereas 
we  require  only  1  using  either  of  our  two  encoding  schemes.  In  addition,  they  found  that  adding 
transitivity  constraints  to  the  propositional  formula  directly  caused  a  blow-up  of  the  BDDs  when 
evaluating  the  formula.  In  our  case,  we  have  far  fewer  variables,  and  we  have  proposed  an  approach 
to  add  only  a  minimal  number  of  additional  variables  and  transitivity  constraints. 


6  Modeling  Microprocessors  in  PEUF 

Our  interest  is  in  verifying  pipelined  microprocessors,  proving  their  equivalence  to  an  unpipelined 
instruction  set  architecture  model.  We  use  the  approach  pioneered  by  Burch  and  Dill  [BD94]  in 
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which  the  abstraction  function  from  pipeline  state  to  architectural  state  is  computed  by  symboli¬ 
cally  simulating  a  flushing  of  the  pipeline  state  and  then  projecting  away  the  state  of  all  but  the 
architectural  state  elements,  such  as  the  register  file,  program  counter,  and  data  memory.  Opera¬ 
tionally,  we  construct  two  sets  of  p-terms  describing  the  final  values  of  the  state  elements  resulting 
from  two  different  symbolic  simulation  sequences — one  from  the  pipeline  model  and  one  from 
the  instruction  set  model.  The  correctness  condition  is  represented  by  a  p-formula  expressing  the 
equality  of  these  two  sets  of  p-terms. 

Our  approach  starts  with  an  RTL  or  gate-level  model  of  the  microprocessor  and  performs  a 
series  of  abstractions  to  create  a  model  of  the  data  path  using  terms  that  satisfy  the  restrictions 
of  PEUF.  Examining  the  structure  of  a  pipelined  processor,  we  find  that  the  signals  we  wish  to 
abstract  as  terms  can  be  classified  as  follows: 

Program  Data:  Values  generated  by  the  ALU  and  stored  in  registers  and  data  memory.  These 
are  also  used  as  addresses  for  the  data  memory. 

Register  Identifiers:  Used  to  index  the  register  file 

Instruction  Addresses:  Used  to  designate  which  instructions  to  fetch 

Control  values:  Status  flags,  opcodes,  and  other  signals  modeled  at  the  bit  level. 

By  proper  construction  of  the  data  path  model,  both  program  data  and  instruction  addresses  can 
be  represented  as  p-terms.  Register  identifiers,  on  the  other  hand,  must  be  modeled  as  g-terms, 
because  their  comparisons  control  the  stall  and  bypass  logic.  The  remaining  control  logic  is  kept 
at  the  bit  level. 

In  order  to  generate  such  a  model,  we  must  abstract  the  operation  of  some  of  the  processor 
units.  For  example,  the  data  path  ALU  is  abstracted  as  an  uninterpreted  p-function,  generating 
a  data  value  given  its  data  and  control  inputs.  Formally,  this  requires  extending  the  syntax  for 
function  applications  to  allow  both  formula  and  term  inputs.  We  model  the  PC  incrementer  and 
the  branch  target  logic  as  uninterpreted  functions  generating  instruction  addresses.  We  model  the 
branch  decision  logic  as  an  uninterpreted  predicate  indicating  whether  or  not  to  take  the  branch 
based  on  data  and  control  inputs.  This  allows  us  to  abstract  away  the  data  equality  test  used  by  the 
branch-on-equal  instruction. 

To  model  the  register  file,  we  use  the  memory  model  described  by  Burch  and  Dill  [BD94], 
creating  a  nested  ITE  structure  to  encode  the  effect  of  a  read  operation  based  on  the  history  of 
writes  to  the  memory.  That  is,  suppose  at  some  point  we  have  performed  k  write  operations  with 
addresses  given  by  terms  Au . . . ,  Ak  and  data  given  by  terms  Di , . . . ,  Dk.  Then  the  effect  of  a 
read  with  address  term  A  is  a  the  term: 

ITE(A  =  Ak,  DkJTE(A  =  D ■  ITE(A  =  Au  Du  fj(A))  ■  •  •))  (7) 

where  //  is  an  uninterpreted  function  expressing  the  initial  memory  state.  Note  that  the  presence 
of  these  comparison  and  ITE  operations  requires  register  identifiers  to  be  modeled  with  g-terms. 
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Since  we  view  the  instruction  memory  as  being  read-only,  we  can  model  the  instruction  mem¬ 
ory  as  a  collection  of  uninterpreted  functions  and  predicates — each  generating  a  different  portion 
of  the  instruction  field.  Some  of  these  will  be  p-functions  (for  generating  immediate  data),  some 
will  be  g-functions  (for  generating  register  identifiers),  and  some  will  be  predicates  (for  gener¬ 
ating  the  different  bits  of  the  opcode).  In  practice,  the  interpretation  of  different  portions  of  an 
instruction  word  depends  on  the  instruction  type,  essentially  forming  a  “tagged  union”  data  type. 
Extracting  and  interpreting  the  different  instruction  fields  during  processor  verification  is  an  inter¬ 
esting  research  problem,  but  it  lies  outside  the  scope  of  this  paper. 

The  data  memory  provides  a  greater  modeling  challenge.  Since  the  memory  addresses  are 
generated  by  the  ALU,  they  are  considered  program  data,  which  we  would  like  to  model  as  p-terms. 
However,  using  a  memory  model  similar  to  that  used  for  the  register  file  requires  comparisons 
between  addresses  and  ITE  operations  having  the  comparison  results  as  control.  Instead,  we  must 
create  a  more  abstract  memory  model  that  weakens  the  semantics  of  a  true  memory  to  satisfy  the 
restrictions  of  PEUF.  Our  abstraction  models  a  memory  as  a  generic  state  machine,  computing  a 
new  state  for  each  write  operation  based  on  the  input  data,  address,  and  current  state.  Rather  than 
Equation  7,  we  would  express  the  effect  of  a  read  with  address  term  A  after  k  write  operations 
as  fr(Sk,  A),  where  fr  is  an  uninterpreted  “memory  read”  function,  and  Sk  is  a  term  representing 
the  state  of  the  memory  after  the  k  write  operations.  This  term  is  defined  recursively  as  So  =  So, 
where  s0  is  a  domain  variable  representing  the  initial  state,  and  Si  =  /u(S;-i,  A,-,  A)  for  i  >  1, 
where  fu  is  an  uninterpreted  “memory  update”  function.  In  essence,  we  view  write  operations  as 
making  arbitrary  changes  to  the  entire  memory  state. 

This  model  removes  some  of  the  correlations  guaranteed  by  the  read  operations  of  an  actual 
memory.  For  example,  although  it  will  yield  identical  operations  for  two  successive  read  operations 
to  the  same  address,  it  will  indicate  that  possibly  different  result  could  be  returned  if  these  two  reads 
are  separated  by  a  write,  even  to  a  different  address.  In  addition,  if  we  write  data  D  to  address  A  and 
then  immediately  read  from  this  address,  our  model  will  not  indicate  that  the  resulting  value  must 
be  D.  Nonetheless,  it  can  readily  be  seen  that  this  abstraction  is  a  conservative  approximation  of 
an  actual  memory.  As  long  as  the  pipelined  processor  performs  only  the  write  operations  indicated 
by  the  program,  that  it  performs  writes  in  program  order,  and  that  the  ordering  of  reads  relative  to 
writes  matches  the  program  order,  the  two  simulations  will  produce  equal  terms  representing  the 
final  memory  states. 

The  remaining  parts  of  the  data  path  include  comparators  comparing  for  matching  register 
identifiers  to  determine  bypass  and  stall  conditions,  and  multiplexors,  modeled  as  ITE  operations 
selecting  between  alternate  data  and  instruction  address  sources.  Since  register  identifiers  are 
modeled  as  g-terms,  these  comparison  and  control  combinations  obey  the  restrictions  of  PEUF. 
Finally,  such  operations  as  instruction  decoding  and  pipeline  control  are  modeled  at  the  bit  level 
using  Boolean  operations. 
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7  Experimental  Results 


In  [VB98],  we  described  the  implementation  of  a  symbolic  simulator  for  verifying  pipelined  sys¬ 
tems  using  vectors  of  Boolean  variables  to  encode  domain  variables,  effectively  treating  all  terms 
as  g-terms.  This  simulation  is  performed  directly  on  a  modified  gate-level  representation  of  the 
processor.  In  this  modified  version,  we  replace  all  state  holding  elements  (registers,  memories, 
and  latches)  with  behavioral  models  we  call  Efficient  Memory  Models  (EMMs).  In  addition  all 
data-transformation  elements  (e.g.,  ALUs,  shifters,  PC  incrementers)  are  replaced  by  read-only 
EMMs,  which  effectively  implement  the  transformation  of  function  applications  into  nested  ITE 
expressions  described  in  Section  4.2.  One  interesting  feature  of  this  implementation  is  that  our 
decision  procedure  is  executed  directly  as  part  of  the  symbolic  simulation.  Whereas  other  im¬ 
plementations,  including  Burch  and  Dill’s,  first  generate  a  formula  and  then  decide  its  validity, 
our  implementation  generates  and  manipulates  bit- vector  representations  of  terms  as  the  symbolic 
simulation  proceeds.  Modifying  this  program  to  exploit  positive  equality  simply  involves  having 
the  EMMs  generate  expressions  containing  fixed  bit  patterns  rather  than  vectors  of  Boolean  vari¬ 
ables.  All  performance  results  presented  here  were  measured  on  a  125  MHz  Sun  Microsystems 
SPARC-20. 

We  constructed  several  simple  pipeline  processor  design  based  on  the  MIPS  instruction  set 
[KH92].  We  abstract  register  identifiers  as  g-terms,  and  hence  our  verification  covers  all  possible 
numbers  of  program  registers  including  the  32  of  the  MIPS  instruction  set.  The  simplest  version 
of  the  pipeline  implements  ten  different  Register-Register  and  Register-Immediate  instructions. 
Our  program  could  verify  this  design  in  48  seconds  of  CPU  time  and  just  7  MB  of  memory  using 
vectors  of  Boolean  variables  to  encode  domain  variables.  Using  fixed  bit  patterns  reduces  the 
complexity  of  the  verification  to  6  seconds  and  2  MB. 

We  then  added  a  memory  stage  to  implement  load  and  store  instructions.  An  interlock  stalls 
the  processor  one  cycle  when  a  load  instruction  is  followed  by  an  instruction  requiring  the  loaded 
result.  Treating  all  terms  as  g-terms  and  using  vectors  of  Boolean  variables  to  encode  domain 
variables,  we  could  not  verify  even  a  4-bit  version  of  this  data  path  (effectively  reducing  |X>[  to 
16),  despite  running  for  over  2000  seconds.  The  fact  that  both  addresses  and  data  for  the  memory 
come  from  the  register  file  induces  a  circular  constraint  on  the  ordering  of  BDD  variables  encoding 
the  terms.  On  the  other  hand,  exploiting  positive  equality  by  using  fixed  bit  patterns  for  register 
values  eliminates  these  variable  ordering  concerns.  As  a  consequence,  we  could  verify  this  design 
in  just  12  CPU  seconds  using  1.8  MB. 

Finally,  we  verified  a  complete  CPU,  with  a  5-stage  pipeline  implementing  10  ALU  instruc¬ 
tions,  load  and  store,  and  MIPS  instructions  j  (jump  with  target  computed  from  instruction  word), 
j  r  (jump  using  register  value  as  target),  and  beq  (branch  on  equal).  This  design  is  comparable 
to  the  DLX  design  [HP96]  verified  by  Burch  and  Dill  in  [BD94],  although  our  version  contains 
more  of  the  implementation  details.  We  were  unable  to  verify  this  processor  using  the  scheme  of 
[VB98].  Having  instruction  addresses  dependent  on  instruction  or  data  values  leads  to  exponential 
BDD  growth  when  modeling  the  instruction  memory.  Modeling  instruction  addresses  as  p-terms, 
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on  the  other  hand,  makes  this  verification  tractable.  We  can  verify  the  full,  32-bit  version  of  the 
processor  using  169  CPU  seconds  and  7.5  MB. 


8  Conclusions 

Eliminating  Boolean  variables  in  the  encoding  of  terms  representing  program  data  and  instruction 
addresses  has  given  us  a  major  breakthrough  in  our  ability  to  verify  pipelined  processors.  Our  BDD 
variables  now  only  encode  control  conditions  and  register  identifiers.  For  classic  RISC  pipelines, 
the  resulting  state  space  is  small  and  regular  enough  to  be  handled  readily  with  BDDs. 

We  believe  that  there  are  many  optimizations  that  will  yield  further  improvements  in  the  per¬ 
formance  of  Boolean  methods  for  deciding  formulas  involving  uninterpreted  functions.  We  have 
found  that  relaxing  functional  consistency  constraints  to  allow  independent  functionality  of  dif¬ 
ferent  instructions,  as  was  done  in  [DPR98],  can  dramatically  improve  both  memory  and  time 
performance.  We  look  forward  to  testing  our  scheme  for  generating  a  propositional  formula  using 
Boolean  variables  to  encode  the  relations  between  terms.  Our  method  exploits  positive  equality 
to  greatly  reduce  the  number  of  propositional  variables  in  the  generated  formula,  as  well  as  the 
number  of  functional  consistency  and  transitivity  constraints.  We  are  also  considering  the  use  of 
satisfiability  checkers  rather  than  BDDs  for  performing  our  tautology  checking 

We  consider  pipelined  processor  verification  to  be  a  “grand  challenge”  problem  for  formal 
verification.  We  have  found  that  complexity  grows  rapidly  as  we  move  to  more  complex  pipelines, 
including  ones  with  out-of-order  execution  and  register  renaming.  Further  breakthroughs  will  be 
required  before  we  can  handle  complete  models  of  state-of-the  art  processors. 
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